Constructing Abelian Varieties for Pairing-Based Cryptography

Constructing Abelian Varieties for Pairing-Based Cryptography by David Stephen Freeman

A.B. (Harvard University) 2002

A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Mathematics in the GRADUATE DIVISION of the UNIVERSITY OF CALIFORNIA, BERKELEY

Committee in charge: Professor Kenneth A. Ribet, Co-chair Professor Edward F. Schaefer, Co-chair Professor Bjorn Poonen Professor David A. Wagner Spring 2008

The dissertation of David Stephen Freeman is approved:

Co-chair

Date

Co-chair

Date

Date

Date

University of California, Berkeley

Spring 2008

Constructing Abelian Varieties for Pairing-Based Cryptography

Copyright 2008 by David Stephen Freeman

1

Abstract

Constructing Abelian Varieties for Pairing-Based Cryptography by David Stephen Freeman Doctor of Philosophy in Mathematics University of California, Berkeley Professor Kenneth A. Ribet and Professor Edward F. Schaefer, Co-chairs Abelian varieties that have small embedding degree with respect to a large prime-order subgroup are key ingredients for implementing pairing-based cryptographic systems. Such “pairing-friendly” abelian varieties are rare and thus require specific constructions. We begin by giving a single coherent framework that classifies the known constructions of pairing-friendly ordinary elliptic curves. This abstract framework leads us to discover several new constructions of such curves. Our most important contribution in this regard is the construction of elliptic curves of prime order with embedding degree 10, which solves an open problem posed by Boneh, Lynn, and Shacham. We also describe a procedure for generating families of pairing-friendly elliptic curves with variable CM discriminant, which can be used to increase the degree of randomness in cryptosystem parameters. We then consider higher-dimensional abelian varieties. We provide two algorithms that, given a CM field K, construct Frobenius elements π of pairing-friendly ordinary abelian varieties with complex multiplication by K. Both algorithms generalize existing constructions of pairing-friendly ordinary elliptic curves. The first generalizes the method of Cocks and Pinch, while the second generalizes that of Brezing and Weng and leads to varieties over smaller fields than the first. Given the output π of either algorithm, one can then use complex multiplication methods to construct explicitly an abelian variety with Frobenius element π. Finally, we turn to the question of the complex multiplication methods used to construct explicit examples of pairing-friendly abelian varieties. We focus on the Chinese remainder theorem algorithm of Eisentr¨ager and Lauter for computing Igusa class polyno-

2 mials of quartic CM fields. One of the steps of this algorithm requires determining whether endomorphism rings of Jacobians of genus 2 curves over small prime fields are isomorphic to the ring of integers in a given quartic CM field. We provide an efficient probabilistic algorithm that carries out this computation. Using our algorithm to determine endomorphism rings, we have implemented a probabilistic version of the full Eisentr¨ager-Lauter algorithm in MAGMA and used it to compute Igusa class polynomials for several quartic CM fields K.

i

For Torrey, my mathematical muse.

ii

Contents List of Figures

iv

List of Tables

v

1 Introduction 1.1 Pairings in cryptography . . . . . . . . . . . . . 1.2 Pairing-friendly abelian varieties . . . . . . . . 1.2.1 Frobenius endomorphism and CM fields 1.2.2 Curves and Jacobians . . . . . . . . . . 1.2.3 Pairings and embedding degrees . . . . 1.2.4 Complex multiplication methods . . . . 1.2.5 Algorithms . . . . . . . . . . . . . . . . 1.2.6 Miscellaneous notation . . . . . . . . . . 1.3 Scope of this dissertation . . . . . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

1 1 5 6 7 8 12 15 15 16

2 A Taxonomy of Pairing-Friendly Elliptic Curves 2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 How to generate pairing-friendly elliptic curves . . . . . . . . . . . . 2.2.1 Families of pairing-friendly curves . . . . . . . . . . . . . . . 2.2.2 Supersingular curves . . . . . . . . . . . . . . . . . . . . . . . 2.3 Generating ordinary elliptic curves with arbitrary embedding degree 2.3.1 The Cocks-Pinch method . . . . . . . . . . . . . . . . . . . . 2.3.2 The Dupont-Enge-Morain method . . . . . . . . . . . . . . . 2.4 Sparse families of pairing-friendly curves . . . . . . . . . . . . . . . . 2.4.1 MNT curves . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4.2 Extensions of the MNT strategy . . . . . . . . . . . . . . . . 2.5 Complete families of pairing-friendly curves . . . . . . . . . . . . . . 2.5.1 Cyclotomic families . . . . . . . . . . . . . . . . . . . . . . . 2.5.2 Sporadic families of Brezing-Weng curves . . . . . . . . . . . 2.5.3 Scott-Barreto families . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

18 18 20 22 27 31 31 32 34 37 39 39 41 47 49

3 New Constructions of Pairing-Friendly Elliptic Curves 3.1 Elliptic curves with embedding degree 10. . . . . . . . . . . . . . . . . . . . 3.1.1 Comparison with prior state of the art . . . . . . . . . . . . . . . . .

51 51 56

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

iii 3.2

More discriminants in cyclotomic families . . . . . . . . . . . . . . . . . . . 3.2.1 Algorithm for generating variable-discriminant families . . . . . . . .

58 63

4 Constructing Pairing-Friendly Abelian Varieties 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Weil numbers yielding prescribed embedding degrees . . . . 4.3 Performance of Algorithm 4.2.6 and examples . . . . . . . . 4.3.1 Examples demonstrating the distribution of ρ-values 4.3.2 Examples of cryptographic size . . . . . . . . . . . . 4.4 A generalized Brezing-Weng method . . . . . . . . . . . . . 4.5 Parameter selection in Algorithm 4.4.9 and examples . . . . 4.5.1 Dimension 2 . . . . . . . . . . . . . . . . . . . . . . . 4.5.2 Dimension 3 . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . .

5 Implementing the Genus 2 CM Method via the Chinese orem 5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Computing zeta functions and the Frobenius element . . . 5.3 Constructing a generating set for OK . . . . . . . . . . . . 5.4 Determining fields of definition . . . . . . . . . . . . . . . 5.4.1 The brute force method . . . . . . . . . . . . . . . 5.4.2 The Gaudry-Harley-Schost method . . . . . . . . . 5.4.3 A probabilistic method . . . . . . . . . . . . . . . 5.5 Computing the action of Frobenius . . . . . . . . . . . . . 5.5.1 The brute force method . . . . . . . . . . . . . . . 5.5.2 A probabilistic method . . . . . . . . . . . . . . . 5.5.3 The Couveignes method . . . . . . . . . . . . . . . 5.6 Bounding the field of definition of the `d -torsion points . . 5.7 Computing Igusa class polynomials . . . . . . . . . . . . . 5.8 Implementation notes . . . . . . . . . . . . . . . . . . . . 5.9 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

96 96 100 102 107 108 108 109 112 113 113 118 119 125 127 129

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

134 134 134 137 142

. . . . . . . . . . . . .

152

A Parameters for Pairing-Friendly Abelian Varieties A.1 Elliptic curves with embedding degree 10 . . . . . . A.1.1 Curves of prime order . . . . . . . . . . . . . A.1.2 Curves with small cofactors . . . . . . . . . . A.2 Families of pairing-friendly abelian surfaces . . . . . A.3 Families of three-dimensional pairing-friendly abelian varieties . . . . . . . . . . . . . . . . . . . . . . . . . Bibliography

. . . .

. . . .

. . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

66 66 68 74 75 77 82 88 89 93

. . . . . . . . .

Remainder The-

155

iv

List of Figures 2.1

Classification of pairing-friendly elliptic curves

4.1

Distribution of ρ-values for pairing-friendly abelian surfaces with CM Q(ζ5 ) and embedding degree 2 with respect to r = 1021. . . . . . . . . Distribution of ρ-values for pairing-friendly abelian surfaces with CM Q(ζ7 ) and embedding degree 4 with respect to r = 29. . . . . . . . . .

4.2

. . . . . . . . . . . . . . . . field . . . field . . .

19

76 76

v

List of Tables 1.1

Bit sizes of parameters for one- and two-dimensional abelian varieties and corresponding embedding degrees to obtain commonly desired levels of security.

4

2.1

Families of pairing-friendly elliptic curves with k ∈ {15, 28, 44} and D = 2. .

47

3.1

Elliptic curve parameters for Boneh-Lynn-Shacham signatures with security equivalent to 2048-bit DSA. . . . . . . . . . . . . . . . . . . . . . . . . . . .

57

4.1 4.2 5.1 5.2 5.3

Quartic CM fields K contained in cyclotomic fields Q(ζ` ) with ϕ(`) ≤ 16. . 91 Best ρ-values for families of abelian surfaces. . . . . . . . . . . . . . . . . . 93 p √ Results for Algorithm 5.7.1 run with K =p Q(i 2 + 2) and λ1 , λ2 , λ3 = 1. 131 √ Results for Algorithm 5.7.1 with K = Q(ip13 + 2 13) and λ1 , λ2 , λ3 = 1. . 132 √ Results for Algorithm 5.7.1 with K = Q(i 29 + 2 29) and λ1 , λ2 , λ3 = 512 . 133

vi

Acknowledgments My research on pairing-friendly elliptic curves began during a summer internship at HewlettPackard Laboratories, Palo Alto, in 2005. I thank Vinay Deolalikar for suggesting this topic and for providing advice and support. I also thank Gadiel Seroussi for bringing me to HP Labs and for supporting my research. Chapters 2 and 3 include material from [41] and [37], the former of which is joint work with Mike Scott of Dublin City University (Ireland) and Edlyn Teske of the University of Waterloo (Canada), and the latter of which grew out of my work at HP Labs. I thank Paulo Barreto, Florian Hess, Ezekiel Kachisa, Ben Lynn, Michael Naehrig, Igor Shparlinski, Alice Silverberg, and Frederik Vercauteren for helpful discussions and feedback on earlier versions of the material in [41]. I thank Paulo Barreto, Steven Galbraith, and Mike Scott for their valuable feedback on earlier versions of the material in [37]. I am especially indebted to Mike Scott, who used the algorithm presented in Section 3.1 to compute examples of elliptic curves of cryptographic size with embedding degree 10. Two of these curves now appear in this dissertation as Examples 3.1.5 and 3.1.6, and further examples appear in Appendix A.1. Chapter 4 includes material from [42] and [39], the former of which is joint work with Peter Stevenhagen and Marco Streng of Universiteit Leiden (the Netherlands). The problem of constructing pairing-friendly genus 2 curves was first suggested to me by Kristin Lauter. My initial work on the subject, presented in [38], was inspired by discussions with Dan Boneh and Edward Schaefer in the winter of 2006-07. The material in [42] grew out of a visit to the Centrum voor Wiskunde en Informatica (CWI), Amsterdam, and Universiteit Leiden in the fall of 2007. I thank Ronald Cramer, Peter Stevenhagen, and the DIAMANT project for inviting me to the Netherlands. I thank Tanja Lange, Michael Naehrig, Edward Schaefer, and Marco Streng for helpful feedback on earlier drafts of the material in [39]. Chapter 5 includes material from [40], which is joint work with Kristin Lauter of Microsoft Research (USA). This line of research began as part of an internship at Microsoft Research, Redmond, during the summer of 2006. I thank Microsoft for its hospitality; Denis Charles and Jean-Marc Couveignes for helpful discussions; and Reinier Br¨oker, David Kohel, and Christophe Ritzenthaler for their feedback on previous versions of [40]. My dissertation research at UC Berkeley has been supported by a National Defense Science and Engineering Graduate Fellowship. I was previously supported by a National

vii Science Foundation Graduate Research Fellowship. I thank Everett Howe for help with background information on abelian varieties, and Bjorn Poonen for providing detailed and timely responses to a large number of questions. Special thanks go to Kenneth Ribet and Edward Schaefer, not only for guiding my research mathematically but also for providing invaluable advice and support regarding life in general. You are advisors in the best sense of the word. Thanks go also to friends and family for being generous with their love and support, to Stuart and Emerson for being furry, and to Torrey for being.

1

Chapter 1

Introduction 1.1

Pairings in cryptography The use of abelian varieties in public-key cryptography goes back to the mid-1980s,

when Victor Miller [89] and Neal Koblitz [65] independently proposed using groups of points on elliptic curves in discrete logarithm-based cryptosystems. The discrete logarithm problem on elliptic curves has now been studied extensively for more than twenty years, and it appears that the initial claim that the problem is computationally infeasible is still sound — to this day, there is no algorithm that solves the problem in less than exponential time. Higher-dimensional abelian varieties first appeared on the scene when Koblitz [66] proposed that the discrete logarithm problem is also infeasible on Jacobians of hyperelliptic curves over finite fields. The supposed advantage of g-dimensional abelian varieties over elliptic curves is that one can work over a field that is a factor of g smaller while retaining the same level of security, thus leading to potential speed advantages. However, it is only recently that the arithmetic operations on these varieties have been optimized to the point where, for certain applications, Jacobians of hyperelliptic curves are now competitive with elliptic curves in terms of performance at a given security level [11]. In the early days of elliptic curve cryptography, supersingular elliptic curves were often proposed for use in cryptosystems. Supersingular curves E over finite fields Fq have the feature that their number of Fq -rational points is easy to count, which was important in the days before fast point-counting algorithms were developed. However, in 1993 Menezes, Okamoto, and Vanstone [86] showed that the Weil pairing can be used to reduce the discrete logarithm problem on a supersingular elliptic curve E over Fq to the same problem in the

2 multiplicative group of some extension field Fqk with k ≤ 6. Shortly thereafter, Frey and R¨ uck [43] devised a similar reduction using the Tate pairing, which also applies to higherdimensional abelian varieties. Since there exist subexponential-time algorithms for discrete logarithms in multiplicative groups of finite fields, the discrete logarithm can usually be computed faster in F× than in E(Fq ), and thus these reductions were interpreted as attacks qk on the discrete logarithm problem on elliptic curves. After the publication of the MOV and Frey-R¨ uck attacks, supersingular elliptic curves were commonly perceived as “weak” and thus unsuitable for cryptography. This attitude reigned until 2000, when Antoine Joux [60] proposed a one-round protocol for three-party key agreement using the Weil or Tate pairings on supersingular elliptic curves. Joux’s key observation was that the curve parameters can be chosen so that the discrete logarithm problem is still infeasible even after the MOV or Frey-R¨ uck reduction, and that the bilinear property of the pairing allows one to perform computations in the “target group” F× that qk previously appeared to require a discrete logarithm. Joux’s discovery opened the floodgates, and in the next few years many important cryptosystems were constructed that made use of bilinear maps. The greatest success was the development of identity-based encryption, which was discovered independently by Sakai, Ohgishi, and Kasahara [109] and Boneh and Franklin [14], and which solved a problem first posed by Shamir in 1984 [114]. Other notable accomplishments include short signature schemes [17], broadcast encryption with small ciphertexts [15], and applications to private information retrieval and zero-knowledge proofs [16]. The subject has now expanded to the point where the First International Conference in Pairing-Based Cryptography was held in Tokyo in 2007; 86 papers were submitted and 18 were presented at the conference [121]. This work is no longer completely theoretical, either — at least one company, Voltage, Inc. [126], has brought pairing-based cryptography to market. All of the pairing-based cryptographic constructions use the pairing as a “black box”; that is, they can be implemented using any groups on which there is a nondegenerate bilinear map, or pairing. While the security proofs of these systems usually make use of assumptions such as the “bilinear Diffie-Hellman assumption” [14], in the most general sense the security level of the system is determined by the complexity of the discrete logarithm problems in the domain (“source group”) and codomain (“target group”) of the pairing. At present, the only known pairings between groups in which the discrete logarithm problems are computationally infeasible are the Weil and Tate pairings on abelian varieties

3 over finite fields, and their variants such as the Eta [7] and Ate [56] pairings. If A is a abelian variety defined over the field Fq of q elements, these pairings in general take as input a point P defined over Fq and a point Q defined over some extension field Fqk , and produce as output an element e(P, Q) of the multiplicative group F× . qk For a pairing-based system using A to be secure, the discrete logarithm problems in A(Fq ) and F× must both be infeasible. The best known generic discrete logarithm algorithm qk on abelian varieties (in both theory and practice) is the parallelized Pollard rho algorithm √ [104, 123]. This algorithm has heuristic running time O( r/m), where r is the size of largest prime-order subgroup of A(Fq ) and m is the number of processors used. In dimensions g ≥ 3 index calculus methods have been developed that can solve the discrete logarithm problem ˜ 2−2/g ), where the implied constant depends on g [1, 49, 53, 48]. For fixed in time O(q g these methods are still exponential in the field size q; however if the size of the group A(Fq ) is held constant, index calculus methods are subexponential in the dimension g. Thus abelian varieties of high dimension are usually considered to be unsuitable for cryptographic applications. On the other side of things, the best algorithm for discrete logarithm computation in finite fields is the index calculus attack (e.g., [99]), which has running time subexponential in the field size. Thus to achieve the same level of security on both sides of the pairing, the size q k of the extension field must be significantly larger than r. The ratio of these sizes is computed from three parameters: the embedding degree, which is the degree k of the extension field required by the pairing; the dimension g of the abelian variety; and a parameter ρ, which is defined to be g log q/ log r and which roughly measures the size of the entire group A(Fq ) relative to the size of the prime-order subgroup that provides input points to the pairing. The ratio of the number of bits in the extension field size to the number of bits in the subgroup order is thus given by ρ · k/g. There has been much speculation about the exact sizes of r and q k required to match standard sizes of keys for symmetric encryption, using for example the Advanced Encryption Standard (AES) [74, 101]. We outline in Table 1.1 one view of the matter for g = 1 or 2, distilled by Mike Scott from material taken from various authoritative sources, in particular [47] and [74]. The listed bit sizes are those matching the security levels of the SKIPJACK, Triple-DES, AES-Small, AES-Medium, and AES-Large symmetric key encryption schemes. By a “b-bit security level,” we mean the minimum number of bit operations necessary to break the system is (conjecturally) 2b . In dimensions g ≥ 3 the subgroup size r should be

4 Table 1.1: Bit sizes of parameters for one- and two-dimensional abelian varieties and corresponding embedding degrees to obtain commonly desired levels of security. Security level (in bits) 80 112 128 192 256

Subgroup size r (in bits) 160 224 256 384 512

Extension field size q k (in bits) 960 – 1280 2200 – 3600 3000 – 5000 8000 – 10000 14000 – 18000

ρ·k g=1 g=2 6–8 12 – 16 10 – 16 20 – 32 12 – 20 24 – 40 20 – 26 40 – 52 28 – 36 56 – 72

increased to take into account the existence of index calculus attacks, and the embedding degree k adjusted to take into account both r and g. As we can see from the table, to achieve varied levels of security it is necessary to construct curves with varying embedding degree. However, in their paper on the Weil pairing reduction, Menezes, Okamoto and Vanstone [86] showed that supersingular elliptic curves always have embedding degree k ≤ 6. Rubin and Silverberg [108] generalized this work to show that for g ≤ 6, supersingular abelian varieties always have embedding degree k ≤ 7.5g. Since these values are at the low end of the security spectrum (as Table 1.1 shows for the case where g = 1 or 2 and ρ ≈ 1), to obtain efficient performance at higher security levels we must construct non-supersingular varieties that have larger embedding degrees. As we will see in Section 1.2.3 below, this is in general a hard problem. We thus have the following Motivating Problem. Given positive integers b, k, and g, construct a g-dimensional abelian variety over a finite field that has a b-bit prime-order subgroup and embedding degree k. Any solution to this problem must be feasible for b of cryptographic size, i.e., large enough so that the discrete logarithm problem in a group whose order is a b-bit prime number is computationally infeasible. For current technology this means b ≥ 160. By “construct,” we mean that we wish to describe the given abelian variety explicitly in a way such that both arithmetic on the abelian variety and pairings can be computed in a reasonable amount of time with current hardware and software. The statement of the Motivating Problem refers to the size of the subgroup on the abelian variety and the embedding degree, but does not address directly the third parameter

5 needed to compute the security level in the finite field, namely the ρ-value. In general, varieties with small ρ-values are desirable in order to speed up arithmetic on the abelian variety. For example, an elliptic curve with a 160-bit subgroup and ρ = 1 is defined over a 160-bit field, while a curve with a 160-bit subgroup and ρ = 2 is defined over a 320bit field, and group operations and pairings can be computed much more quickly on the first curve. In addition, the cryptographic elements of a pairing-based protocol (such as keys and ciphertexts) usually consist of points on the abelian variety and are described in terms of coordinates in Fq , so systems using abelian varieties with smaller ρ-values require less bandwidth for the same security level. Thus in our attempts to solve the motivating problem, we prefer abelian varieties with smaller ρ-values, with our ultimate goal being varieties with a prime number of points, which have ρ ≈ 1.

1.2

Pairing-friendly abelian varieties Before we discuss our contribution to the solution of the Motivating Problem, we give

some relevant background on elliptic curves and abelian varieties and define the technical terminology we will use throughout this dissertation. For further background, Silverman [117] provides an excellent exposition of elliptic curves; information on abelian varieties can be found in the article of Waterhouse and Milne [129], which focuses on varieties over finite fields, and those of Milne [90, 92], which treat varieties over arbitrary fields. Lang’s book [72] is a standard reference for basic algebra, while Hartshorne’s [55] is the same for algebraic geometry. An abelian variety A is a smooth, projective, absolutely irreducible algebraic variety with a group structure whose operations are given by algebraic morphisms. An elliptic curve is a one-dimensional abelian variety, and an abelian surface is a two-dimensional abelian variety. If A is an abelian variety defined over a field F (written A/F ), we denote by A(F ) the group of F -rational points of A. If r is an integer, then A[r] denotes the group of all r-torsion points of A defined over an algebraic closure F of F . We denote by A(F )[r] the group of r-torsion points of A defined over F . If A has dimension g and r is prime to the characteristic of F , then A[r] ∼ = (Z/rZ)2g . A positive-dimensional abelian variety A/F is simple (or F -simple) if it is not isogenous over F to a product of lower-dimensional abelian varieties. We say that A is absolutely simple if it not isogenous over F to a product of lower-dimensional abelian varieties.

6

1.2.1

Frobenius endomorphism and CM fields

Let Fq denote the finite field of q elements. Every abelian variety A defined over Fq has an endomorphism called the Frobenius endomorphism, which is denoted by π and which operates by raising the coordinates of a point to the qth power. The Frobenius endomorphism satisfies a monic, integer polynomial hA known as the characteristic polynomial of Frobenius, which is the characteristic polynomial of the action of π on the Tate module T` for any prime ` - q [90, §12]. By a theorem of Weil [90, Theorem 19.1], all of the complex √ roots of hA have absolute value q; a monic, irreducible polynomial in Z[x] with this property is called a q-Weil polynomial, and any root is called a q-Weil number. By Honda-Tate theory [122], q-Weil polynomials are in one-to-one correspondence with isogeny classes of simple abelian varieties over Fq . If A is simple, then hA is a power of an irreducible polynomial and we can view π as an element of a number field K. The field K is either a CM field, which is an √ imaginary quadratic extension of a totally real field, or the field Q( q) [122]. We call a CM field K primitive if it contains no proper CM subfields. The full endomorphism algebra E = EndF (A) ⊗ Q is a central simple algebra over K = Q(π), and by a theorem of Tate [122] it satisfies 2 · dim(A) = [E : K]1/2 [K : Q].

(1.1)

Since A(Fq ) is the kernel of the endomorphism π − 1, we have #A(Fq ) = hA (1).

(1.2)

#A(Fq ) = NormK/Q (π − 1).

(1.3)

If E = K = Q(π), then we also have

A g-dimensional abelian variety A defined over a field F of characteristic p is ordinary if dimFp A[p] = g, or equivalently, if the middle coefficient of hA is prime to p. We say that A is supersingular if A is F -isogenous to a product of supersingular elliptic curves. Silverman [117, Theorem 3.1] characterizes supersingular elliptic curves, while Galbraith [44, Theorem 1] gives several equivalent conditions for an abelian variety to be supersingular. We call a q-Weil number π ordinary or supersingular if the corresponding abelian variety (in the sense of Honda-Tate theory [122]) is the same. If g ≥ 2 then there are g-dimensional abelian varieties that are neither ordinary nor supersingular.

7 If A is ordinary and simple then the endomorphism ring End(A) is commutative. It then follows from (1.1) that E = K = Q(π) and K has degree 2g, where g = dim A. In this case, End(A) is an order O in the ring of integers of K (denoted OK ). We take the statement A has complex multiplication by K or CM by K to mean that End(A) ⊗ Q ∼ = K, and we take the statement A has CM by O to mean that End(A) ∼ = O ⊂ OK . We will discuss the theory of complex multiplication further in Chapter 4. In the case of elliptic curves, we will often work with the trace of the Frobenius endomorphism, which is defined to be the integer t = π + π. Equation (1.2) then tells us that #E(Fq ) = q + 1 − t.

(1.4)

√ The trace satisfies the Hasse bound |t| ≤ 2 q [117, §5.1], which leads to upper and lower bounds on the number of Fq -rational points of E: √ √ q − 2 q + 1 ≤ #E(Fq ) ≤ q + 2 q + 1. If E/Fq is an elliptic curve with trace t, then t is relatively prime to q if and only if E is ordinary.

1.2.2

Curves and Jacobians

Throughout this dissertation, a curve will refer to a smooth, projective, absolutely irreducible algebraic variety of dimension one. We will often describe curves by equations in two variables, possibly with a singularity at infinity, such as C : y 2 = f (x). In this case we take the curve C to be the normalization of the projective closure of the affine plane curve defined by this equation. The genus of a curve C is the dimension of the space of regular differentials on C. A hyperelliptic curve over a field F is a curve C/F of genus g ≥ 2 for which there exists a two-to-one map, defined over F , from C to the projective line P1 . If the characteristic of F is not 2, any hyperelliptic curve of genus g can be represented by an affine model of the form y 2 = f (x), where f is a polynomial in F [x] of degree 2g + 1 or 2g + 2 with no multiple roots. All curves of genus 2 are hyperelliptic (see [55, Exercise IV.1.7]). If C is a curve over F , the Jacobian of C, denoted Jac(C), is a principally polarized abelian variety over F of dimension g, where g is the genus of C. The group Jac(C)(F ) is isomorphic to the group Pic0 (C) given by linear equivalence classes of degree-zero divisors

8 on C, the base extension of C to F . (For more information on Jacobians, see [91].) We will denote by O the trivial divisor class, which is the identity in the group Jac(C)(F ). When we say that a curve C has complex multiplication by a field K or an order O, we mean that Jac(C) has this property. If C is a genus 1 curve given by a Weierstrass equation of the form y 2 = f (x) with deg f = 3, we denote by O the single point at infinity in the projective closure of this affine curve. We then have an isomorphism of varieties C → Jac(C) given by φ : P 7→ [P − O]. We will identify C with Jac(C) by this isomorphism, and call C an elliptic curve.

1.2.3

Pairings and embedding degrees

Let A be an abelian variety defined over a field F , and let r be a positive integer relatively prime to char F . Let µr be the group of rth roots of unity in an algebraic closure of F . The Weil pairing is a nondegenerate, bilinear, Galois-equivariant map ˆ → µr , eweil,r : A[r] × A[r] where Aˆ is the dual of A. (If A is principally polarized, as is the case when A is a Jacobian, then Aˆ ∼ = A.) For definitions of the Weil pairing and proofs of its properties, see [117, §3.8] for elliptic curves and [90, §16] for general abelian varieties. If F is a finite field, the Tate pairing is a nondegenerate, bilinear, Galois-equivariant map ˆ )/rA(F ˆ ) → F × /(F × )r . etate,r : A(F )[r] × A(F If µr ⊂ F , then the target group F × /(F × )r is isomorphic to µr ; otherwise it is isomorphic to µs for some s | r. For a definition of the Tate pairing and proofs of its properties, see [33]. From these descriptions it is apparent that if F is finite, then to obtain Weil or Tate pairing values of order r we must work over a field containing the rth roots of unity. Definition 1.2.1. Let A be an abelian variety defined over a field F , and let r be a positive integer relatively prime to char(F ). We say that A has embedding degree k with respect to r if 1. A has a F -rational point of order r, and 2. [F (µr ) : F ] = k.

9 If C is a curve, then we say that C has embedding degree k with respect to r if and only if the Jacobian of C does. We often ignore r when stating the embedding degree, as it is usually clear from the context. The embedding degree gets its name because we can use a pairing to embed a cyclic subgroup of A(F ) of order r into the multiplicative group of the degree-k extension of F . The Menezes-Okamoto-Vanstone attack on the discrete logarithm problem on supersingular elliptic curves [86] makes use of such an embedding. If A is a g-dimensional abelian variety defined over Fq with q = pd and m is the multiplicative order of p modulo r, then the quantity m/dg is a good measure of the security of cryptosystems based on A [58]. If Fq is a prime field (i.e., d = 1) then this quantity is equal to k/g. For constructive applications of pairings, the embedding degree of A needs to be small enough so that the pairing is easy to compute, but large enough so that the discrete is computationally infeasible. Balasubramanian and Koblitz [5] showed logarithm in F× qk that for a random elliptic curve E over a random field Fq and a prime r ≈ q, the probability that E has embedding degree less than log2 q with respect to r is vanishingly small, and in general the embedding degree can be expected to be around r. Luca, Mireles, and Shparlinski [79] have obtained similar results for fixed values of q, and we expect analogous results to hold in higher dimensions. We conclude that if r is around 2160 (the smallest value currently acceptable for security in implementations) pairings on a random abelian variety will take values in a field of roughly 2160 bits, so the computation is completely hopeless. To avoid the Pohlig-Hellman attack [103], the points on A used in cryptographic protocols should have prime order. Thus we wish to construct abelian varieties over finite fields that have points of large prime order r and small embedding degree with respect to r. Such varieties are (informally) called “pairing-friendly.” Constructions of pairing-friendly abelian varieties make substantial use of the theory of cyclotomic polynomials and cyclotomic fields. We recall a few basic facts here; for a deeper discussion, see Lidl and Niederreiter’s book [77]. For every positive integer k, we let ζk denote a primitive kth root of unity in Q, i.e., an algebraic number such that (ζk )k = 1 and (ζk )` 6= 1 for any positive ` < k. The minimal polynomial of ζk over Q is called the kth cyclotomic polynomial and is denoted Φk (x). These polynomials have integer coefficients

10 and can be defined recursively by setting Φ1 (x) = x − 1 and using the formula Y Φd (x) xk − 1 =

(1.5)

d|k

for k > 1. The degree of Φk (x) is denoted ϕ(k) and is also called Euler’s phi function; it gives the number of positive integers less than or equal to k that are relatively prime to k. Lemma 1.2.2. Let A be an abelian variety over a finite field Fq with an Fq -rational point of order r. If r is relatively prime to q then the following conditions are equivalent: 1. A has embedding degree k with respect to r. 2. k is the smallest integer such that r divides q k − 1. 3. k is the multiplicative order of q modulo r. Furthermore, if r is a prime not dividing k then these conditions are equivalent to 4. Φk (q) ≡ 0 (mod r), where Φk is the kth cyclotomic polynomial. Proof. The equivalence of (1) and (2) follows from the fact that the multiplicative group of a finite field is cyclic, and the equivalence of (2) and (3) follows trivially from the definitions. Now suppose r is prime and (2) holds, so r | q k − 1 but r - q i − 1 for any 1 ≤ i < k. By (1.5) and since r is prime, this means r | Φk (q). Conversely, if (4) holds, then (1.5) implies that r | q k − 1. It remains to show that r - q i − 1 for any 1 ≤ i < k. We follow Menezes’ proof [85, Lemma 6.3]. Let f (x) = xk − 1 and F = Z/rZ. Then F is a field. Since r - k, we have gcd(f (x), f 0 (x)) = 1 in F[x]. Thus, f has only single roots in F. Using (1.5) and the fact that q is a root of Φk (x) over F, we obtain Φd (q) 6≡ 0 (mod r) for any d | k, 1 ≤ d < k. Therefore, r - q d − 1 for any d | k, 1 ≤ d < k. Finally, we note that r - q i − 1 for any positive i that does not divide k, since in this case we would have r | q gcd(i,k) − 1. We can also give a characterization of the embedding degree in terms of the Frobenius endomorphism π. Corollary 1.2.3. Let A/Fq be a simple abelian variety with Frobenius endomorphism π, and suppose that K = Q(π) equals End(A) ⊗ Q. Let k be a positive integer, Φk the kth cyclotomic polynomial, and r a square-free integer not dividing kq. If NormK/Q (π − 1) ≡ 0

(mod r),

Φk (ππ) ≡ 0

(mod r),

11 then A has embedding degree k with respect to r. Proof. Since r is square-free, the first condition tells us that A(Fq ) has a cyclic subgroup of order r, while the second tells us that condition (4) of Lemma 1.2.2 holds for each prime dividing r. We also observe that in the case of an elliptic curve E/Fq with trace of Frobenius t and a cyclic subgroup of order r, the formula for the number of points (1.4) implies that q ≡ t − 1 (mod r), and thus we can rephrase Lemma 1.2.2 in terms of t − 1: Corollary 1.2.4. Let E be an elliptic curve over a finite field Fq with trace of Frobenius t and an Fq -rational point of order r. If r is relatively prime to q then the following conditions are equivalent: 1. E has embedding degree k with respect to r. 2. k is the smallest integer such that r divides (t − 1)k − 1. 3. k is the multiplicative order of t − 1 modulo r. Furthermore, if r is a prime not dividing k then these conditions are equivalent to 4. Φk (t − 1) ≡ 0 (mod r), where Φk is the kth cyclotomic polynomial. For implementation purposes, the subgroup of prime order r should be close as possible to the full group A(Fq ), with the “ideal” case being that r is actually the full group order. Since this ideal is difficult to achieve in practice, we define a parameter ρ that represents how close to this ideal a given g-dimensional abelian variety is. Using the fact that #A(Fq ) ≈ q g [90, Theorem 19.1], we can approximate the ratio of the size (in bits) of this group order to the size (in bits) of the subgroup order r by the parameter ρ=

g log q . log r

(1.6)

We can interpret the ρ-value of an abelian variety as the ratio of the abelian variety’s required bandwidth to its security level. As we discussed in Section 1.1, abelian varieties with ρ-values close to 1 usually provide the best performance in implementations. However, such varieties are often limited to specific, small embedding degrees k, and thus to achieve comparable security levels in A[r] and F× it is not uncommon to use varieties with larger qk ρ-values.

12

1.2.4

Complex multiplication methods

From the discussion above, we see that the problem of constructing a pairing-friendly abelian variety essentially reduces to determining a q-Weil number π and a subgroup size r that have the relationship specified by Corollary 1.2.3, and then constructing an explicit abelian variety over Fq with Frobenius element π. The bulk of this dissertation is dedicated to solving the first problem. The latter task is achieved by complex multiplication methods, or CM methods, which we now discuss. The key idea underlying CM methods is the following: by the Serre-Tate theory of canonical liftings [78], every ordinary abelian variety A over Fq is the reduction modulo a suitable prime p over q of an abelian variety A0 over Q with End(A0 ) ∼ = End(A). Furthermore, if A is a simple, principally polarized abelian variety of dimension g ≤ 3, then A0 is the Jacobian of a genus g curve C0 /Q. At present, CM methods have only been developed in dimension g ≤ 3. In these cases, we have the following: Proposition 1.2.5. Let π be an ordinary q-Weil number, and suppose that the number field K = Q(π) is a primitive CM field of degree 2g with g ≤ 3. Then there is a genus g curve C/Fq such that End(Jac(C)) ∼ = OK , the ring of integers of K, and either 1. C is elliptic or hyperelliptic and Jac(C) has Frobenius element π, or 2. C is a smooth plane quartic and Jac(C) has Frobenius element π or −π. Proof. The result is well-known for g = 1, so we consider the cases g = 2 or 3. Let A be the isogeny class of abelian varieties over Fq with Frobenius element π. Since K is primitive and π is ordinary, it follows from the Honda-Tate theorem [122, Th´eor`eme 1] that any abelian variety A ∈ A is absolutely simple. Suppose there is an A ∈ A that is principally polarized and has endomorphism ring isomorphic to OK . Then by theorems of Weil (for g = 2) and Oort and Ueno (for g = 3) [100], A is Fq -isomorphic to the Jacobian of a genus g curve C. If C is hyperelliptic, then there is a hyperelliptic curve C/Fq such that Jac(C) is Fq -isomorphic to A (see e.g. [73, Appendix, §7]), proving statement (1). If C is not hyperelliptic then there is a curve C/Fq such that Jac(C) is Fq -isomorphic to either A or its quadratic twist A0 (again, see e.g. [73, Appendix, §7]). Any nonhyperelliptic curve of genus 2 or 3 is a smooth plane quartic, so

13 statement (2) now follows from the facts that End(A0 ) ∼ = End(A) and A0 has Frobenius element −π. It remains to show that there is an A ∈ A that is principally polarized and has endomorphism ring isomorphic to OK . Let K0 be the maximal totally real subfield of K. By the work of Howe [59, Propositions 5.7 and 10.1], it suffices to show that there is a finite prime p of K0 that ramifies in K. For g = 2, a variation of Howe’s proof of [59, Lemma 12.1] shows that if there is no finite prime p of K0 that ramifies in K, then K contains an imaginary quadratic subfield, contradicting the assumption that K is primitive. For g = 3, the result follows directly from [59, Corollary 10.3]. Proposition 1.2.5 has as an immediate consequence that given a primitive CM field K and an ordinary Weil number π ∈ OK , we can solve the construction problem by compiling the finite list of Q-isomorphism classes of curves in characteristic zero whose Jacobians have CM by OK . From representatives of this list, we obtain a list C of curves over Fq whose Jacobians have CM by OK by reducing at some fixed prime p over q. Changing the choice of the prime p amounts to taking the reduction at p of conjugate curves, which also have Jacobians with CM by OK . For every curve C ∈ C, we compute the set of its twists, i.e., all the curves up to Fq isomorphism that become isomorphic to C over Fq . If C is elliptic or hyperelliptic (which is always the case when g ≤ 2), then there is at least one twist C 0 of a curve C ∈ C whose Jacobian has the specified Frobenius element π. This curve can be selected from the list of twists using the fact that # Jac(C)(Fq ) = NormK/Q (π − 1). (Note that while efficient point-counting algorithms do not exist for varieties of dimension g > 1, if q  g we can determine probabilistically whether an abelian variety over Fq has a given order by choosing a few random points, multiplying by the expected order, and seeing if the result is always the identity.) If C is not hyperelliptic, then it may happen that we can only find a curve C 0 such that Jac(C 0 ) has Frobenius element −π; in this case the desired abelian variety is the quadratic twist of Jac(C 0 ), which cannot be described as the Jacobian of a curve over Fq . It now remains only to construct the list of curves over Q with CM by OK . In genus 1, where we are dealing with elliptic curves, the problem has been studied extensively. The j-invariants of elliptic curves over Q with CM by the ring of integers OK of a quadratic imaginary field K are the roots of the Hilbert class polynomial of K, which is a monic, square-free polynomial with integer coefficients. There are three different approaches

14 to computing the Hilbert class polynomial: a complex-analytic algorithm [3, 35], a Chinese remainder theorem algorithm [23, 2], and a p-adic algorithm [29, 20]. The best running ˜ 2 ), where hK is the class number of K [35, 20]. Since time for these algorithms is O(h K the degree of the Hilbert class polynomial is hK and the bit size of the coefficients grows roughly linearly in hK , this running time is essentially the best possible. At present, the largest class number for which the elliptic curve CM method is feasible is hK = 105 [35]. Analogous methods exist for constructing genus 2 curves over Q with CM by the ring of integers OK of a given quartic CM field K. In this case, the solutions rely on computing the curves’ absolute Igusa invariants via the computation of the Igusa class polynomials for K, which lie in Q[x]. (A precise definition of the Igusa class polynomials appears on page 96.) Again there are three different approaches to computing the class polynomials: a complex-analytic algorithm [119, 124, 131, 27], a Chinese remainder theorem algorithm [34], and a p-adic algorithm [51]. These algorithms are less extensively developed than their elliptic curve analogues; at present they can handle only very small quartic CM fields, and there is no running time analysis for any of them. We discuss the genus 2 CM method in more detail in Chapter 5, focusing on the Chinese remainder approach. In genus 3, the invariant theory and the corresponding theory of class polynomials have been developed only in two special cases. The first, due to Weng [130], is the case of hyperelliptic curves with CM by a degree-6 field K containing Q(i). The second, due to Koike and Weng [70], is the case of Picard curves (curves of the form y 3 = f (x) with deg f = 4) with CM by a degree-6 field K containing Q(ζ3 ). In both cases the class polynomials are computed via a complex-analytic algorithm, and the algorithms are again limited to very small CM fields K. In each of these cases the correspondence between curves and absolute invariants commutes with reduction at p. It follows that we can find the invariants of curves C/Fq that have CM by OK by computing roots of the class polynomials in Fq . (See [34, Theorem 2], reproduced as Theorem 5.1.2 below, for a precise statement of this result in the case g = 2.) An explicit equation for the curve C can then be computed from the invariants using well-known formulas for g = 1, using Mestre’s algorithm [88] for g = 2, and using the appropriate algorithms in the two tractable cases with g = 3 [130, 70]. The requirement that Jac(C) be ordinary is essential, and ensures that p = char(Fq ) does not divide the denominator of any coefficient of the class polynomial; see [54, Section 4] for further details in the case g = 2.

15 Explicit CM theory has not been developed for dimensions g ≥ 4, save for a few specific examples. Moreover, “most” principally polarized abelian varieties of dimension g ≥ 4 are not Jacobians, as the moduli space of Jacobians has dimension 3g − 3, while the moduli space of abelian varieties has dimension g(g + 1)/2. For implementation purposes we prefer Jacobians or even hyperelliptic Jacobians, as these are the only abelian varieties on which group operations and pairings can be computed efficiently over finite fields of cryptographic size.

1.2.5

Algorithms

Many of the results in this dissertation are presented in the form of algorithms. We define an algorithm to be a sequence of computations that can be implemented on a Turing machine and is guaranteed to terminate after a finite amount of time. A probabilistic algorithm is an algorithm that has access to an external source of input from which truly random bits can be generated. When we say that a probabilistic algorithm terminates in a finite amount of time, we mean that for any valid input the expected running time Z ∞ tP (t)dt, 0

where P (t) is the probability of terminating at time t, is finite. Our definition does not take into account whether an algorithm produces correct output; an algorithm’s proof of correctness is separate from its statement. When we say that a probabilistic algorithm is correct, we mean that for any valid input it produces correct output with probability greater than 1/2. We also make no a priori claims about the running time of our algorithms. Indeed, showing that our algorithms can run in polynomial time with negligible error probability will often be an essential part of our discussion. In general we will not distinguish between probabilistic and deterministic algorithms. Indeed, some of our algorithms contain steps such as “choose element x from set Y ” that can be implemented either deterministically or probabilistically. Obviously, any algorithm that makes explicit reference to randomness in its description will be probabilistic.

1.2.6

Miscellaneous notation

We denote by Z the ring of integers, and by Q, R, and C the fields of rational, real, and complex numbers respectively. If F is a field we denote by F an algebraic closure of F . Unless otherwise stated, all fields are assumed to be separable.

16 The “big-O” notation f (x) = O(g(x)) means that there exist positive constants C and N such that for any x > N , |f (x)| ≤ C |g(x)|. If g(x) > 1 for x sufficiently large, the ˜ “soft-O” notation f (x) = O(g(x)) means that there is some positive integer k such that k ˜ f (x) = O(g(x) log g(x)). Note that f (x) = O(g(x)) implies that f (x) = O(g(x)1+ ) for any  > 0. Analogous definitions hold for functions of several variables.

1.3

Scope of this dissertation In this dissertation we present several new contributions to the solution of the Moti-

vating Problem of page 4. We focus on the case where the abelian variety in question is ordinary, as supersingular varieties of low dimension have already been classified by Rubin and Silverberg and been shown to have bounded embedding degree k in any dimension g, and varieties of intermediate type are poorly understood in the context of pairing-friendly abelian varieties.† In Chapter 2 we give an abstract and general framework that classifies the known constructions of pairing-friendly ordinary elliptic curves. Our framework allows the practitioner to quickly determine the various attributes of any such construction, making it easy to select a construction for any specified set of performance and security requirements. More importantly, our framework leads us to discover new constructions of pairingfriendly ordinary elliptic curves. We describe these new constructions in Chapter 3. Our most important contribution in this regard is the construction of elliptic curves of prime order with embedding degree 10, which solves an open problem posed by Boneh, Lynn, and Shacham [17]. We also describe a procedure for generating families of pairing-friendly elliptic curves with variable CM discriminant, which will be useful for those who desire the maximum possible degree of randomness in cryptosystem parameters. In Chapter 4 we study higher-dimensional abelian varieties. We provide two algorithms that, given a CM field K, construct Frobenius elements π of pairing-friendly ordinary abelian varieties with CM by K. Both algorithms generalize existing constructions of pairingfriendly ordinary elliptic curves. The first method generalizes the construction of Cocks and Pinch [25] and works for (nearly) arbitrary subgroup sizes r. The second generalizes the method of Brezing and Weng [19] and leads to varieties with better ρ-values than the † There is one discussion in the literature of such intermediate varieties, due to Hitt [57], which gives existence results for pairing-friendly abelian surfaces of intermediate type in characteristic 2. Explicit construction of pairing-friendly varieties of this type remains an entirely open problem.

17 first. Given the output π of either algorithm, one can then use complex multiplication methods to construct explicitly an abelian variety with Frobenius element π. Finally, in Chapter 5 we turn to the question of the CM methods used to construct explicit examples of pairing-friendly abelian varieties. We focus on implementation aspects of Eisentr¨ager and Lauter’s Chinese remainder theorem algorithm [34] for computing Igusa class polynomials of quartic CM fields. One of the steps of this algorithm requires determining whether endomorphism rings of Jacobians of genus 2 curves over small prime fields are isomorphic to the full ring of integers in a given quartic CM field. Our contribution is to provide an efficient probabilistic algorithm that carries out this computation. Using our algorithm to determine endomorphism rings, we have implemented a probabilistic version of the full Eisentr¨ager-Lauter CRT algorithm in MAGMA [18] and used it to compute Igusa class polynomials for several quartic CM fields K with small discriminant. We find that in practice the running time of the CRT algorithm is dominated not by the endomorphism ring computation but rather by the need to compute p3 curves for many small primes p.

18

Chapter 2

A Taxonomy of Pairing-Friendly Elliptic Curves 2.1

Introduction During the time that pairing-based cryptography has been studied in earnest, numer-

ous researchers have worked on the Motivating Problem of page 4 in the case of elliptic curves, i.e., g = 1, and there now exist many methods for constructing pairing-friendly elliptic curves. In this chapter we gather these constructions into a single coherent framework. A diagram outlining our classification is given in Figure 2.1. Our framework will aid the practitioner by allowing him or her to select elliptic curves for any desired combination of performance and security requirements. More importantly, by determining the abstract properties that make the existing constructions work, we can use these properties to produce new constructions that improve on the known ones. These new constructions appear in Chapter 3. The designers of the first pairing-based protocols proposed the use of supersingular elliptic curves [14]; we discuss these curves in Section 2.2.2. However, supersingular curves are limited to embedding degree k = 2 for prime fields and k ≤ 6 in general [86], so for higher embedding degrees we must turn to ordinary curves. There are a large number of constructions of ordinary elliptic curves with prescribed embedding degree. All of these constructions are based on the complex multiplication (CM) method of curve construction (see Section 1.2.4), and all construct curves over prime fields.

19

Figure 2.1: Classification of pairing-friendly elliptic curves

Pairing-friendly elliptic curvesQ

Families of curves @

Sparse families (§2.4)

         

MNT & GMV curves

QQQ QQQ

mm mmm mmm

Curves not in families PP m

@@ PPP mm @@ P mmm @@ DEM curves Cocks-Pinch @@ Supersingular @@ (§2.3.2) curves (§2.3.1) @@curves (§2.2.2) @@ @

Complete familes r (§2.5) LLL

r rrr r r rrr

Cyclotomic families (§2.5.1)

Sporadic families (§2.5.2)

LLL LLL L

Scott-Barreto families (§2.5.3)

The highest-level distinction we make in our framework is between methods that construct individual curves and those that construct families of curves. The former type are methods that give integers q and r such that there is an elliptic curve E over Fq with a subgroup of order r and embedding degree k with respect to r. The latter type are methods that give polynomials q(x) and r(x) such that if q(x0 ) is prime for some value of x0 , there is an elliptic curve E over Fq(x0 ) with a subgroup of order r(x0 ) and embedding degree k with respect to r(x0 ). Families of curves have the advantage that the sizes of the finite field and the prime-order subgroup can be varied simply by specifying x0 . There are two constructions in the literature that produce ordinary elliptic curves with small embedding degree that are not given in terms of families: the method of Cocks and Pinch [25] and that of Dupont, Enge, and Morain [32]. In Section 2.3 we describe these two methods and discuss their merits and drawbacks. The remaining constructions of ordinary elliptic curves with small embedding degree fall into the category of families of curves. Here we make another distinction. The construction of such curves depends on our being able to find integers x, y satisfying an equation of the form Dy 2 = 4q(x) − t(x)2

20 for some fixed positive integer D and polynomials q(x) and t(x). The parameter D is the “CM discriminant” (which we often call simply the “discriminant”), which we will define formally in Section 2.2. In some cases, this equation will only have solutions for some set of (x, y) that grows exponentially; we call such families sparse. In others, this equation may be satisfied for any x, i.e., we can write y as a polynomial in x and the equation gives an equality of polynomials; we call such families complete. Sparse families, discussed in Section 2.4, are primarily based on the ideas of Miyaji, Nakabayashi, and Takano [93]. These families give most of the known constructions of curves of prime order, but are limited to small embedding degrees k. Complete families, discussed in Section 2.5, exist for arbitrary k but usually give curves with ρ > 1. All of the constructions of complete families can be viewed as choosing a polynomial r(x) parametrizing the pairing-friendly subgroup size and computing polynomials in Q[x] that map to certain elements of the number field K = Q[x]/(r(x)). We can further classify the complete families according to properties of the number field K. We briefly list the families and the corresponding type of number field. • Cyclotomic families (§2.5.1): K is a cyclotomic field, r is a cyclotomic polynomial, √ and K contains −D for some small D. Constructions given in [8, 19]. • “Sporadic” families (§2.5.2): K is a (perhaps trivial) extension of a cyclotomic field, r √ is not a cyclotomic polynomial, and K contains −D for some small D. Constructions given in [9, 62]. • Scott-Barreto families (§2.5.3): K is a (perhaps trivial) extension of a cyclotomic field, √ and K contains no −D for any small D. Constructions given in [113]. Much of the material in this chapter is joint work with Michael Scott of Dublin City University (Ireland) and Edlyn Teske of the University of Waterloo (Canada). A more comprehensive exposition of these topics appears in [41].

2.2

How to generate pairing-friendly elliptic curves In this section we discuss the common properties of the various constructions of pairing-

friendly elliptic curves. As we saw in Section 1.2.3, it is unlikely that a “random” elliptic curve over a finite field will have small embedding degree with respect to a large primeorder subgroup, and thus construction of curves with these properties requires specialized

21 algorithms. All such algorithms currently in the literature follow essentially the same highlevel structure: 1. Fix k, and compute integers t, r, q such that there is an elliptic curve E/Fq that has trace t, a subgroup of prime order r, and embedding degree k. 2. Use the complex multiplication method to find the equation of the curve E over Fq . The difficult part of such algorithms is finding t, r, q as in Step (1) while ensuring that Step (2) remains feasible. We now specialize to the case where E is ordinary; a discussion of supersingular curves can be found in Section 2.2.2. An ordinary elliptic curve with the properties described in Step (1) exists if and only if the following conditions hold: 1. q is prime or a prime power. 2. r is prime. 3. t is relatively prime to q. 4. r divides q + 1 − t. 5. r divides Φk (q), where Φk is the kth cyclotomic polynomial. 6. 4q − t2 = Dy 2 for some square-free positive integer D and some integer y. Condition (1) ensures that there is a finite field with q elements. Since the proportion of prime powers to primes is virtually zero, we will in general take q to be a prime number. √ Condition (6) implies that t ≤ 2 q; together with condition (3) this implies that there exists an ordinary elliptic curve E defined over Fq with #E(Fq ) = q + 1 − t (cf. [128, Theorem 4.1]). Conditions (2) and (4) combine to tell us that E(Fq ) has a subgroup of prime order r. By Lemma 1.2.2, condition (5) is equivalent to E having embedding degree k with respect to r. We now know that if such t, r, q can be constructed, then there exists an ordinary elliptic curve E/Fq with embedding degree k and an order-r subgroup. The characteristic polynomial of Frobenius for E is x2 −tx+q, and thus condition (6) implies that End(E)⊗Q ∼ = √ Q( −D). By Proposition 1.2.5, we may assume that End(E) is isomorphic to the ring of √ integers of K = Q( −D). We may thus compute the j-invariant of E as a root of the

22 Hilbert class polynomial for OK , modulo a prime over q. If the class number hK of K is sufficiently small then this class polynomial can be constructed in a reasonable amount of time; in practice we can take hK < 105 [35]. The equation in condition (6) is called the CM equation. We call the integer D the CM discriminant of E/Fq ; it is defined to be the square-free part of the nonnegative integer 4q − t2 . (Other authors may define the CM discriminant to be negative, or to be the √ discriminant of the quadratic imaginary field Q( −D).) If we use condition (4) to write q + 1 − t = hr for some positive integer h, then the CM equation is equivalent to Dy 2 = 4hr − (t − 2)2 .

(2.1)

We call h the cofactor of the pairing-friendly curve.

2.2.1

Families of pairing-friendly curves

For applications, we would like to be able to construct curves of specified bit size. To this end, we describe “families” of pairing-friendly curves for which the curve parameters t, r, q are given as polynomials t(x), r(x), q(x) in terms of a parameter x. The idea of parametrizing t, r, q as polynomials has been used by several different authors in their constructions, including Miyaji, Nakabayashi, and Takano [93]; Barreto, Lynn, and Scott [8]; Scott and Barreto [113]; and Brezing and Weng [19]. Our definition of a family of pairing-friendly curves is a formalization of ideas implicit in these works. The definition provides a concise description of many existing constructions and gives us a framework that we can use to discover previously unknown pairing-friendly curves. Since the values of q(x) and r(x) will be the sizes of a field and a group in which we wish to do cryptography, respectively, the polynomials we construct will need to have the property that for many values of x, q(x) is a prime power (which in general we will take to be a prime) and r(x) is prime or a small cofactor times a prime. However, one drawback to the description of q and r as polynomials is that very little is known about prime values of polynomials. For example, it is not even known that x2 + 1 takes an infinite number of prime values. Thus when describing the polynomials that we wish to take prime values, we must impose conditions that make it likely that they will do so. Our definition is motivated by the following fact: if f (x) ∈ Z[x], then a famous conjecture of Buniakowski and Schinzel (see [72, p. 323]) says that a non-constant f (x) takes an infinite number of prime values if and only if f has positive leading coefficient, f is

23 irreducible, and gcd({f (x) : x ∈ Z}) = 1. Furthermore, a conjecture of Bateman and Horn [10] vastly generalizes the prime number theorem to give the expected density of such prime values. For our purposes we must also consider polynomials with rational coefficients; our definition incorporates the natural generalization of these conjectures to such polynomials. Definition 2.2.1. Let f (x) be a polynomial with rational coefficients. We say f represents primes if the following conditions are satisfied: 1. f (x) is non-constant. 2. f (x) has positive leading coefficient. 3. f (x) is irreducible. 4. f (x) ∈ Z for some x ∈ Z (equivalently, for an infinite number of x ∈ Z). 5. gcd({f (x) : x, f (x) ∈ Z}) = 1. For future reference, we note that if there is some x such that f (x) = ±1, then conditions (4) and (5) are both satisfied. We need one more definition before we can define families of pairing-friendly curves. Definition 2.2.2. A polynomial f (x) ∈ Q[x] is integer-valued if f (x) ∈ Z for every x ∈ Z. For example, f (x) = 21 (x2 + x + 2) is integer-valued and represents primes. Definition 2.2.3. Let t(x), q(x), r(x) ∈ Q[x] be nonzero polynomials. (i) For a given positive integer k and positive square-free integer D, the triple (t, r, q) represents a family of elliptic curves with embedding degree k and discriminant D if the following conditions are satisfied: 1. q(x) = p(x)d for some d ≥ 1 and p(x) that represents primes. 2. r(x) is non-constant, irreducible, and integer-valued, and has positive leading coefficient. 3. r(x) divides q(x) + 1 − t(x). 4. r(x) divides Φk (t(x) − 1), where Φk is the kth cyclotomic polynomial. 5. The equation Dy 2 = 4q(x) − t(x)2 has infinitely many integer solutions (x, y).

24 If these conditions are satisfied, we often simply call (t, r, q) a family. (ii) We say that a family (t, r, q) is ordinary if gcd(t(x), q(x)) = 1. (iii) We say that a family (t, r, q) is complete if for every integer x there is some integer y that satisfies the equation Dy 2 = 4q(x) − t(x)2 ; otherwise we say that the family is sparse. (iv) We say that (t, r, q) represents a potential family of curves if conditions (2)–(5) of (i) are satisfied; in this case q(x) may or may not be a power of a p(x) that represents primes. Part (i) of Definition 2.2.3 is designed so that if (t, r, q) represents a family of curves with embedding degree k, and (x0 , y0 ) is a solution to the equation of condition (5) such that p(x0 ) is prime, then there exists an elliptic curve E/Fq(x0 ) with a subgroup of order √ r(x0 ) and embedding degree k. If the class number of Q( −D) is less than 105 then E can be constructed via the CM method. In practice we will usually have d = 1 in condition (1), so q(x) will represent primes and the curves we construct will be defined over prime fields. For cryptographic applications, we also need r(x0 ) to be prime or very nearly prime; the conditions (2) on r(x) suggest that this will often be the case. We can then use the following algorithm to search for an x0 with the desired properties. Algorithm 2.2.4. Input: polynomials q(x) and r(x) ∈ Q[x] satisfying conditions (1) and (2) of Definition 2.2.3 (i), respectively, and a positive integer y0 . Output: positive integers x0 and h such that q(x0 ) is prime and r(x0 ) is h times a prime. 1. Compute integers a, b such that q(ax + b) is integer-valued and represents primes. 2. Set h ← gcd({q(ax + b)r(ax + b) : x ∈ Z}). 3. Set re(x) ← r(x)/h. 4. Set x1 ← y0 . 5. Repeat x1 ← x1 + 1 until q(ax1 + b) and re(ax1 + b) are prime integers. 6. Set x0 ← ax1 + b. Return h and x0 .

25 The input y0 is the starting point for the search, and should be chosen so that r(y0 )/h is at least the minimum size desired for security. Since h does not depend on the input yo , if the h output by the algorithm is too large we can try again with a larger y0 . Proposition 2.2.5. Suppose the q(x) and r(x) input into Algorithm 2.2.4 have degrees d1 and d2 respectively. If the Bateman-Horn conjecture [10] is true, then the expected running time of the algorithm is O(d1 d2 (log αδy0 )2 ), where δ is the smallest integer such that δq(x) ∈ Z[x] and α = max{q(x)r(x) : |x| ≤ δ/2}. Proof. We first show that integers a, b as in Step (1) always exist. Write q(x) = qe(x)/δ; then qe(x) ∈ Z[x]. Write the factorization of δ as Y

δ=

pep .

p prime

Since q(x) represents primes, for each p there exists a bp such that q(bp ) is an integer not divisible by p, and thus pep divides qe(bp ) exactly. Let a and b be integers such that a=

Y

pep +1 ,

b ≡ bp

(mod pep +1 ) for all p | δ.

p|δ

Then q(ax + b) is integer-valued and is nonzero mod p for every p dividing δ. For every p not dividing δ, ax + b ranges through all residue classes mod p, so there is some residue class of x mod p for which p does not divide qe(ax + b). Thus there is no prime p dividing q(ax + b) for all x, which is equivalent to q(ax + b) representing primes. Let h be as in Step (2). Since q(ax + b) and r(ax + b) are integer-valued and q(ax + b) represents primes, there is some c such that gcd {q(ax + b) : x ≡ c mod h}




= 1,

gcd {r(ax + b) : x ≡ c mod h}




= h.

It follows that the values of the polynomials q(ahx + ac + b) and re(ahx + ac + b) are integers with no common divisor. The Bateman-Horn conjecture implies that we should expect to test roughly d1 d2 (log ahy0 )2 values of x1 before we find one for which q(ax1 + b) is prime and r(ax1 + b) is h times a prime. Since log a = O(log δ) and h ≤ α, the result follows. Proposition 2.2.5 shows that heuristically, the expected number of executions of Step (5) is linear in the degrees of q and r, and quadratic in the number of bits in y0 . We note

26 (and find in practice) that the a computed in Step (1) can be smaller than the a produced in the proof of the proposition, and that there may be multiple valid choices of b for a given a. In addition, the α of the statement is usually a gross overestimate. Condition (3) of Definition 2.2.3 (i) ensures that for a given value x0 for which q(x0 ) is prime, r(x0 ) divides #E(Fq(x0 ) ). If in fact r(x0 ) = q(x0 ) + 1 − t(x0 ), then for values of x for which r(x0 ) and q(x0 ) are both prime, #E(Fq ) will be prime. This is the “ideal” case, but it is difficult to achieve in practice. We therefore extend our definition of the parameter ρ (1.6) to indicate how close to this ideal a given family of curves is. Recall that the ρ-value of a g-dimensional abelian variety over Fq with respect to a subgroup of order r is ρ = g log q/ log r. If q = q(x) and r = r(x) are parametrized as polynomials, then for large x the ρ-value approaches g deg q/ deg r. This analysis leads to the following definition of ρ-value for a family of elliptic curves: Definition 2.2.6. Let t(x), r(x), q(x) ∈ Q[x], and suppose (t, r, q) represents a family of elliptic curves with embedding degree k. The ρ-value of the family represented by (t, r, q), denoted ρ(t, r, q), is log q(x) deg q(x) = . x→∞ log r(x) deg r(x) √ The Hasse bound |#E(Fq ) − q + 1| ≤ 2 q implies that ρ(t, r, q) is always at least ρ(t, r, q) = lim

1. (For individual curves, ρ(E) ≥ 1 −

2 log 2 log r .)

If (t, r, q) represents curves of prime order,

then deg r = deg q and ρ = 1. Note, however, that the converse may not be true: if ρ(t, r, q) = 1, then we may find that for any curve E in this family #E(Fq ) = hr(x) where h is a constant-size cofactor. (For examples of such families, see [46, §3].) We conclude this section by demonstrating some properties of ρ for ordinary elliptic curves with embedding degree 1 or 2. Proposition 2.2.7. Suppose (t, r, q) represents a family of ordinary elliptic curves with embedding degree k ≤ 2 and discriminant D. 1. If k = 1, then ρ(t, r, q) ≥ 2 if either of the following conditions holds: (a) deg t(x) ≥ 1, or (b) there are an infinite number of integer solutions (x, y) to the CM equation (2.1) for which r(x) is square free and relatively prime to D. 2. If k = 2, then ρ(t, r, q) ≥ 2.

27 Proof. Since r(x) divides Φk (t(x)−1) and deg Φk = 1, if Φk (t(x)−1) 6= 0 then we must have deg t(x) ≥ deg r(x). Thus by the Hasse bound ρ(t, r, q) ≥ 2. It remains to consider the cases k = 1, t(x) = 2 and k = 2, t(x) = 0. If t(x) = 0 then the family of curves is not ordinary, a contradiction. Now suppose k = 1 and t(x) = 2; then the CM equation (2.1) becomes Dy 2 = 4h(x)r(x). The hypothesis (1b) implies that there are an infinite number of x for which h(x) ≥ r(x), and therefore deg h(x) ≥ deg r(x). Since deg q(x) = deg h(x) + deg r(x), we conclude that ρ ≥ 2. Remark 2.2.8. Let E/Fq be an ordinary elliptic curve that has embedding degree k ≤ 2 with respect to r, and let D be the CM discriminant of E. Using the same reasoning as in the proof of Proposition 2.2.7, one can show that if either 1. k = 1, r is square free, and gcd(r, D) = 1, or 2. k = 2, and q and r are prime, then ρ(E) ≥ 2(1 − ε), with ε → 0 as r → ∞.

2.2.2

Supersingular curves

Recall that an elliptic curve E/Fq with #E(Fq ) = q + 1 − t is supersingular if and only if gcd(t, q) > 1. Supersingular curves have embedding degrees k ∈ {1, 2, 3, 4, 6} [86], and furthermore k = 2 is the only possible embedding degree over prime fields Fq with q ≥ 5. By the Hasse bound, group orders of supersingular curves are of the form q + 1 − t with t2 ∈ {0, q, 2q, 3q, 4q}. The only known general method to construct supersingular curves is reduction of CM curves in characteristic zero. In particular, the CM curves y 2 = x3 + ax and y 2 = x3 + b defined over Q reduce to supersingular curves over Fp for all primes p ≡ 3 (mod 4) and p ≡ 2 (mod 3) respectively. These two curves will suffice for most applications; Algorithm 2.2.11 gives an explicit procedure for constructing a supersingular curve over any given prime field. For fields of characteristic 2 and 3, representatives for each Fq -isomorphism class of supersingular curves have been determined by Menezes and Vanstone [87] and Morain [95], respectively. Supersingular curves with k = 4 or 6 exist only in characteristic 2 and 3, respectively, and Menezes [84] has characterized prime-order supersingular curves in these cases. Thus we limit our discussion in this section to curves with k ≤ 3.

28 Remark 2.2.9. Supersingular curves are commonly perceived as “weak” curves, and thus as not desirable for cryptographic applications. However, Koblitz and Menezes [68] argue: There is no known reason why a nonsupersingular curve with small embedding degree k would have any security advantage over a supersingular curve with the same embedding degree. On the other hand, as opposed to ordinary curves with embedding degree k > 1, supersingular curves have the added advantage that they have distortion maps (in the sense of Verheul [125]), which is a desirable feature in some pairing-based applications [24]. Embedding degree k = 1 Supersingular curves with embedding degree k = 1 exist only over finite fields Fq √ √ where q = ps with s even. Then we can write q − 1 = ( q + 1)( q − 1), so r | q − 1 if √ √ r | ( q + 1) or r | ( q − 1). For a supersingular curve with k = 1 over Fq , this requires √ √ #E(Fq ) = q ± 2 q + 1, that is, t = ±2 q [45], and we see that such curves must have ρ ≥ 2. To construct supersingular curves with embedding degree 1, we let q 0 =

√

q and let

E/Fq0 be a curve with trace zero, i.e., #E(Fq0 ) = q 0 + 1. Then the characteristic polynomial √ √ of the q 0 -power Frobenius endomorphism is x2 + q 0 , which factors as (x + i q 0 )(x − i q 0 ). The Weil conjectures [117, Theorem V.2.2] then tell us that the characteristic polynomial √ of the q-power Frobenius map is (x − q 0 )2 , so #E(Fq ) = (q 0 − 1)2 = q − 2 q + 1. Thus even though E/Fq0 has embedding degree 2, if we consider E as a curve over Fq then E has embedding degree 1 with respect to r. We will see in Section 2.2.2 how to construct a trace-zero curve over Fq0 with an orderr subgroup for arbitrary r. Since we may take log q 0 / log r arbitrarily close to 1 for such curves, the ρ-value for E/Fq with embedding degree 1 can be made arbitrarily close to 2, and we see from the discussion above that this is the best possible ρ-value. If for some √ reason we want our curve to have q + 2 q + 1 points, we may simply take a quadratic twist √ (over Fq ) of the curve with q − 2 q + 1 points. We conclude that in any case where a supersingular curve E/Fq with k = 1 and ρ(E) = ρ0 is desired, we may obtain an entirely equivalent setup by choosing a supersingular curve E 0 /F√q with k = 2 and ρ(E 0 ) = ρ0 /2.

29 Embedding degree k = 2 The case of embedding degree 2 offers the most flexibility; in fact, we can construct curves over prime fields with arbitrary subgroup size and ρ-value. For embedding degree k = 2 we require r | q + 1. This is certainly the case if t = 0, and such supersingular curves can be defined over both prime and non-prime fields. Construction of supersingular curves in characteristic greater than 3 makes use of the following theorem: Theorem 2.2.10 ([71, Theorem 13.12]). Let L be a number field, and E/L be an elliptic √ curve with complex multiplication. Suppose End(E) ⊗ Q = Q( −D). Let p | p be a prime of L where E has good reduction. Then the reduction of E mod p is supersingular if and   √ only if p does not split in Q( −D), i.e., −D 6= 1. p Given a subgroup size r, if we choose any even h such that q = hr − 1 is prime, then we have the following algorithm (combining the constructions of Koblitz and Menezes [68, §7] and Br¨oker [21, §3.4]) for constructing a curve over Fq with embedding degree 2 with respect to r. Algorithm 2.2.11. Input: a prime q ≥ 5. Output: a supersingular elliptic curve E/Fq . 1. If q ≡ 3 (mod 4), return y 2 = x3 + ax for any a ∈ F× q . 2. If q ≡ 5 (mod 6), return y 2 = x3 + b for any b ∈ F× q . 3. If q ≡ 1 (mod 12), do the following: (a) Let D be the smallest prime such that D ≡ 3 (mod 4) and √ (b) Compute the Hilbert class polynomial HD of Q( −D).



−D q



= −1.

(c) Compute a root j ∈ Fq of HD (mod q). (d) Let m = j/(1728 − j), and return y 2 = x3 + 3mc2 x + 2mc3 for any c ∈ F× q . The condition D ≡ 3 (mod 4) in Step (3a) guarantees that the Hilbert class polynomial HD has a root in Fq [21, §3.4]. Note that this construction allows us to choose r and h almost completely arbitrarily, so we may make our choices so that r has low Hamming

30 weight or some other special form. In particular, Boneh, Goh, and Nissim [16] observe that we may choose r to be a large composite number such as an RSA modulus; curves with such group orders are used in some recent pairing-based protocols. We see from Theorem 2.2.10 that the popular supersingular curves y 2 = x3 + ax and y 2 = x3 +b are simply special cases of the general construction method, for the two equations define CM curves over Q with CM discriminant 1 and 3, respectively. However, these two cases have the additional nice property that the distortion maps are easy to compute, as both curves have automorphisms defined over Fq2 . Koblitz and Menezes [68] give explicit determinations of the distortion maps in both cases. Embedding degree k = 3 A supersingular curve over Fq of prime order has embedding degree k = 3 if and only √ if q = ps with s even, and t = ± q [93]. In characteristic p > 3, the only such curves are those of the form y 2 = x3 + γ, 2 where γ is a non-cube in F× q [95]. If we specialize to the case q = p where p ≡ 2 (mod 3)

is a large prime, then we have #E(Fp2 ) = p2 ± p + 1. If the sign of the middle term is positive (i.e., t = −p), then for certain p = 3x − 1 we may find curves of prime order, since r(x) = (3x − 1)2 + (3x − 1) + 1 represents primes in the sense of Definition 2.2.1. In the case where t = p we find that #E(Fq ) must be a multiple of 3 and can be equal to 3 times a prime. We can recast these results in our language of “families” (Definition 2.2.3). Depending on the sign of t we have one of t(x) = − 3x + 1,

r(x) = 9x2 − 3x + 1,

q(x) = (3x − 1)2 ;

3x − 1,

r(x) = 9x2 − 9x + 3,

q(x) = (3x − 1)2 .

t(x) =

Since 4q(x) − t(x)2 = 3(3x − 1)2 , the triple (t, r, q) represents a family of elliptic curves with embedding degree 3 and discriminant 3. The ρ-value for this family is 1; in particular, if r(x) and 3x − 1 are prime then we may construct a curve over Fq(x) with embedding degree 3 and prime order. Since arithmetic in Fp2 for suitably chosen p can be as fast as arithmetic in Fp0 with p0

≈ p2 , this is a good method for generating useful curves with embedding degree 3 and

31 small ρ-value. Note that particularly fast Fp2 arithmetic results when optimal extension fields [4] are used; Duan, Cui and Chan [31] give sample families and curves for this setup.

2.3

Generating ordinary elliptic curves with arbitrary embedding degree We begin our survey of methods for constructing pairing-friendly ordinary elliptic

curves with the two most general methods in the literature, the Cocks-Pinch method and the Dupont-Enge-Morain method. Both methods can be used to construct curves with arbitrary embedding degree; however, both methods produce curves with ρ ≈ 2, which may not be suitable for certain applications. Neither method produces families of curves in the sense of Definition 2.2.3, but we will see in Section 2.5 that the Cocks-Pinch method does generalize to produce families with ρ < 2. Furthermore, the Cocks-Pinch method has the advantage that it can produce curves with prime-order subgroups of nearly arbitrary size. The subgroups of Dupont-Enge-Morain curves, on the other hand, must have an order r that divides a value of a certain polynomial, which results in the value of r being more difficult to specify precisely.

2.3.1

The Cocks-Pinch method

In an unpublished manuscript [25], Cocks and Pinch gave a procedure for constructing pairing-friendly curves with arbitrary embedding degree k. The Cocks-Pinch method fixes a subgroup size r and a CM discriminant D and computes t such that the CM equation must be satisfied. Theorem 2.3.1 ([25]). Fix a positive integer k and a positive square-free integer D. Execute the following steps. 1. Let r be an odd prime such that k | r − 1 and

−D r




= 1.

2. Let z be a kth root of unity in (Z/rZ)× . (Such a z exists because k | r − 1.) Let t0 = z + 1. √ 3. Let y 0 = (t0 − 2)/ −D (mod r). 4. Let t be the unique lift of t0 to (0, r], and let y be the unique lift of y 0 to (0, r]. Let q = (t2 + Dy 2 )/4.

32 If q is an integer and prime, then there exists an elliptic curve E over Fq with an order-r √ subgroup and embedding degree k. If the class number of Q( −D) is less than 105 then E can be constructed via the CM method. The key feature of this algorithm is that y is constructed so that Dy 2 + (t − 2)2 is divisible by r. With q chosen such that the CM equation 4q − t2 = Dy 2 is satisfied, this yields 4(q + 1 − t) ≡ 0 mod r. Lastly, the choice of t ensures that Φk (t − 1) ≡ 0 mod r. We observe that there is no reason to believe a priori that we can find a t or y that is much smaller than r, and thus in general we find that q ≈ r2 . We conclude that the curves produced by this method tend to have ρ-values around 2. However, these curves are easy to generate, and in particular we can take r to be (nearly) arbitrary, so r can have low Hamming weight or other desirable features. The Cocks-Pinch method is important not only because it is the most flexible algorithm for constructing ordinary pairing-friendly curves, but also because it can be generalized to produce families of elliptic curves with ρ < 2 (Section 2.5) and higher-dimensional pairingfriendly abelian varieties (Chapter 4). Remark 2.3.2. In Step (4) we could in fact choose t and y to be any integers congruent to t0 and y 0 modulo r. In particular, if we wish to generate a curve with a given ρ-value ρ0 ≥ 2, we could add to t and y an integer divisible by r and of size roughly rρ0 /2 . Remark 2.3.3. Rubin and Silverberg [107] have observed that the Cocks-Pinch method can be used to construct curves with embedding degree k with respect to r when r is a large composite number, such as an RSA modulus. As in the case where r is prime, these curves have ρ-value around 2.

2.3.2

The Dupont-Enge-Morain method

Whereas the Cocks-Pinch method fixes an r and then computes t and q such that the CM equation is satisfied, the approach of Dupont, Enge, and Morain [32] is to compute t and r simultaneously using resultants. The theory of resultants is discussed in [72, §IV.8]. Theorem 2.3.4 ([32]). Fix a positive integer k, and execute the following steps. 1. Compute the resultant R(a) = Resx (Φk (x − 1), a + (x − 2)2 ).

33 2. Choose a such that a = Dy 2 with D square-free, and let r be the largest prime factor of R(a). 3. Compute g(x) = gcd(Φk (x − 1), a + (x − 2)2 ) in Fr [x]. 4. Let t0 ∈ Fr be a root of the polynomial g. If there is no such root, go to Step (2) and choose a different a. 5. Let t be the unique lift of t0 to (0, r]. Let q = (t2 + a)/4. If q is an integer and prime, then there exists an elliptic curve E over Fq with an order-r √ subgroup and embedding degree k. If the class number of Q( −D) is less than 105 then E can be constructed via the CM method. The key idea of the Dupont-Enge-Morain method is to use the following property of resultants [72, Corollary IV.8.4]: if f (x) and g(x) are polynomials over a field K, then Resx (f (x), g(x)) = 0 if and only if f (x) and g(x) have a common root in K. If we consider Φk (x − 1) and a + (x − 2)2 to be polynomials in the two variables a, x, then the resultant R is a single-variable polynomial in a of degree ϕ(k). If we fix a and take r to be a prime factor of R(a), then R(a) ≡ 0 (mod r), and thus Φk (x − 1) and a + (x − 2)2 have a common factor g(x) when considered as polynomials mod r, i.e., in Fr [x]. In practice we find that if k is small and r is of cryptographic size then the factor g(x) is linear, so we can find a root t0 ∈ Fr that lifts to an integer t. The values of t and r computed thus satisfy r | Φk (t − 1) and r | Dy 2 + (t − 2)2 . By construction of q, the CM equation holds, which then yields q + 1 − t ≡ 0 (mod r). We observe that there is again no reason to believe a priori that t is much smaller than r, and thus in general we find that q ≈ r2 . We conclude that the curves produced by this method also tend to have ρ values around 2. Like the Cocks-Pinch method, the Dupont-Enge-Morain method is effective for computing curves for arbitrary embedding degree k. However, whereas in the former method we could choose the subgroup size r nearly arbitrarily, in this method r is a factor of a value of the polynomial R(a). Since r must be of cryptographic size, it will usually only be computationally feasible to find such an r if the remaining factors of R(a) are small, so in general r will be roughly the size of R(a). Since R(a) has degree ϕ(k) and is irreducible (because it is the resultant of two irreducible polynomials), the factors r we find will grow roughly like aϕ(k) . Thus the possible subgroup orders r are more restricted in the Dupont-Enge-Morain

34 method than in the Cocks-Pinch method. This is the only significant difference between the two methods, and thus we recommend using the Cocks-Pinch method for applications where a curve with arbitrary embedding degree and ρ ≈ 2 is desired.

2.4

Sparse families of pairing-friendly curves Recall that to construct families of pairing-friendly curves, we search for polynomials

t(x), r(x), q(x) that satisfy certain divisibility conditions modulo r(x), and for which the CM equation Dy 2 = 4q(x) − t(x)2 = 4h(x)r(x) − (t(x) − 2)2

(2.2)

has infinitely many solutions (x, y). Here, h(x) is the “cofactor” satisfying h(x)r(x) = q(x) + 1 − t(x). In practice, for any t(x) we can easily find r(x) and q(x) satisfying the divisibility conditions modulo r(x); the difficulty arises in choosing the polynomials so that Dy 2 = 4q(x) − t(x)2 has infinitely many integer solutions. In general, if f (x) is a square-free polynomial of degree at least 3, then there will be only a finite number of integer solutions to the equation Dy 2 = f (x) (cf. Proposition 2.4.5 below). Thus we conclude that (t, r, q) can represent a family of curves only if f (x) has some kind of special form. We now consider one of these special forms: namely, the case where f (x) is quadratic. We show that in this case, one integral solution to the equation Dy 2 = f (x) will give us infinitely many solutions. This is the technique that Miyaji, Nakabayashi and Takano [93] use to produce curves with embedding degree 3, 4, or 6, and we will use the same technique in Section 3.1 to construct curves with embedding degree 10. The idea is as follows: since f (x) is quadratic, we complete the square to write the equation Dy 2 = f (x) as u2 − D0 v 2 = T for some constants D0 and T , and observe that (u, v) √ is a solution to this equation if and only if u + v D0 has norm T in the real quadratic field √ Q( D0 ). By Dirichlet’s unit theorem, there is a one-dimensional set of norm-one integral elements of this field; multiplying each of these units by our element of norm T gives an infinite family of elements of norm T . We then show that a certain fraction of these elements can be converted back to solutions of the original equation. Theorem 2.4.1. Fix an integer k > 0, and suppose the polynomials t(x), r(x), q(x) ∈ Q[x] satisfy conditions (1)–(4) of Definition 2.2.3 (i). Let f (x) = 4q(x) − t(x)2 . Suppose f (x) =

35 ax2 + bx + c, with a, b, c ∈ Z, a > 0, and b2 − 4ac 6= 0. Let D be a square-free integer such that aD is not a square. If the equation Dy 2 = f (x) has an integer solution (x0 , y0 ), then (t, r, q) represents a family of curves with embedding degree k. Proof. Completing the square in the equation Dy 2 = f (x) and multiplying by 4a gives aD(2y)2 = (2ax + b)2 − (b2 − 4ac). If we write aD = D0 w2 with D0 square-free and make the substitutions u = 2ax+b, v = 2wy, T = b2 − 4ac, the equation becomes u2 − D0 v 2 = T.

(2.3)

Note that since aD is not a square, we have D0 > 1. Under the above substitution, a solution (x0 , y0 ) to the original equation Dy 2 = f (x) √ √ gives an element u0 + v0 D0 of the real quadratic field Q( D0 ) with norm T . Furthermore, this solution satisfies the congruence conditions u0 ≡ b

(mod 2a)

v0 ≡ 0

(mod 2w).

(2.4)

We wish to find an infinite set of solutions (u, v) satisfying the same congruence conditions, for we can transform such a solution into an integer solution to the original equation. To find such solutions we employ Dirichlet’s unit theorem [98, §1.7], which tells us that the integer solutions to the equation α2 − D0 β 2 = 1 are in one-to-one correspondence with the real numbers

√ √ α + β D0 = ±(α0 + β0 D0 )n

√ for some fixed (α0 , β0 ) and any integer n. The real number α0 + β0 D0 is either a funda√ mental unit of the real quadratic field Q( D0 ) or (if the norm of the fundamental unit is −1) the square of a fundamental unit.

√ Reducing the coefficients of α0 + β0 D0 modulo 2a gives an element z of the ring

Z[x] . (2a, x2 − D0 ) √ √ Furthermore, since (α0 + β0 D0 )(α0 − β0 D0 ) = 1, z is invertible in R, i.e., z ∈ R× . Since R=

R× is a finite group of size less than 4a2 , there is an integer m < 4a2 such that z m = 1 in

36 √ √ √ R× .† Lifting back up to the full ring Z[ D0 ], we see that (α0 + β0 D0 )m = α1 + β1 D0 for integers α1 , β1 satisfying α1 ≡ 1

(mod 2a),

β1 ≡ 0

(mod 2a).

(2.5)

Now for any integer n we can compute integers (u, v) such that √ √ √ u + v D0 = (u0 + v0 D0 )(α1 + β1 D0 )n .

(2.6)

√ We claim that (u, v) satisfy the congruence conditions (2.4). To see this, let αn + βn D0 = √ (α1 + β1 D0 )n . The conditions (2.5) imply that αn ≡ 1 (mod 2a) and βn ≡ 0 (mod 2a). Combining this observation with the formulas u = αn u0 + βn v0 D0 v = αn v0 + βn u0 , we see that u ≡ u0 ≡ b (mod 2a) and v ≡ v0 (mod 2a). Furthermore, v0 ≡ 0 (mod 2w) and 2w divides 2a (since aD = D0 w2 and D is square free), so we conclude that v ≡ 0 (mod 2w). The new solution (u, v) thus satisfies the congruence conditions (2.4). Any integer n gives such a solution, so by setting x = (u − b)/2a and y = v/2w for each such (u, v), we have generated an infinite number of integer solutions to the equation Dy 2 = f (x). This is condition (5) of Definition 2.2.3 (i); by hypothesis (t, r, q) satisfy conditions (1)–(4), so we conclude that (t, r, q) represents a family of curves with embedding degree k. Remark 2.4.2. More generally, we may find an infinite family of curves in the case where f (x) = g(x)2 h(x), with h(x) quadratic. Specifically, if we let y = y 0 g(x), then given one integral solution (x, y 0 ) to the equation Dy 02 = h(x) we may use the method of Theorem 2.4.1 to find an infinite number of solutions. However, we currently know of no examples for which f (x) is of this form. Remark 2.4.3. We see from (2.6) that solutions to the Pell equation (2.3) grow exponentially, and thus only very few values of x satisfy our original equation Dy 2 = f (x). (Indeed, even the smallest solution will be exponential in the bit size of D [75].) Thus the families of Theorem 2.4.1 will be sparse (in the sense of Definition 2.2.3). †

In fact, since z is an element of the norm-one subgroup of R× , m is bounded above by 2s a, where s is the number of distinct primes dividing 2a. A more detailed study of the group R× appears in [36].

37 Remark 2.4.4. The argument in the proof of Theorem 2.4.1 can easily be made into an algorithm for finding x and y, using for example using one of the techniques described by Matthews [83] or Robertson [105] to find a fundamental solution to the equation (2.3), and √ using the continued fraction expansion of D0 to find the fundamental unit (or its square) √ α0 + β0 D0 [75]. Theorem 2.4.1 tells us that if f (x) is quadratic and square free, we obtain a family of curves of the prescribed embedding degree for each D. If f (x) is instead a linear or constant function times a square, then we obtain a family of curves for a single D. In this case the family is complete (in the sense of Definition 2.2.3), and such examples belong in the discussion of Section 2.5. We conclude this section with a partial converse to Theorem 2.4.1; namely, if the degree of f (x) is at least 3, then we are unlikely to find an infinite family of curves. Proposition 2.4.5. Let (t, r, q) be polynomials with integer coefficients satisfying conditions (1)–(4) of Definition 2.2.3, and let f (x) = 4q(x) − t(x)2 . Suppose f (x) is square free and deg f (x) ≥ 3. Then (t, r, q) does not represent a family of elliptic curves with embedding degree k. Proof. Since f (x) is square free (i.e., has no double roots) and has degree at least 3, the equation Dy 2 = f (x) defines a smooth affine plane curve of genus g ≥ 1. By Siegel’s Theorem [117, Theorem IX.4.3] such curves have a finite number of integral points, so condition (5) of Definition 2.2.3 is not satisfied.

2.4.1

MNT curves

Miyaji, Nakabayashi and Takano [93] were the first to propose ordinary pairing-friendly curves, for embedding degrees k = 3, 4, and 6. In fact, ordinary curves of prime order with embedding degrees 3, 4, or 6 have been fully characterized as follows: Theorem 2.4.6 ([93]). Let q be a prime and E/Fq be an ordinary elliptic curve such that r = #E(Fq ) is prime. Let t = q + 1 − r. 1. Assume q > 64. E has embedding degree k = 3 if and only if there exists x ∈ Z such that t = −1 ± 6x and q = 12x2 − 1. 2. Assume q > 36. E has embedding degree k = 4 if and only if there exists x ∈ Z such that t = −x or t = x + 1, and q = x2 + x + 1.

38 3. Assume q > 64. E has embedding degree k = 6 if and only if there exists x ∈ Z such that t = 1 ± 2x and q = 4x2 + 1. In all three cases, the proof (of the “only if” part) of Theorem 2.4.6 starts out with the condition r | Φk (q) and exploits the primality of the group order. All of the proofs are entirely elementary. Remark 2.4.7. It is easy to show (see [63]) that if both r and q are primes greater than 64 then there is an elliptic curve E/Fq with embedding degree 6, discriminant D, and #E(Fq ) = r if and only if there is an elliptic curve E 0 /Fr with embedding degree 4, discriminant D, and #E 0 (Fr ) = q. In all three cases of Theorem 2.4.6, the CM equation Dy 2 = 4q(x) − t(x)2 defines a curve of genus zero, with the right-hand side being quadratic in x. In each case, by a linear change of variables, the CM equation can be transformed into a generalized Pell equation of the form (2.3). Specifically, 1. for k = 3, setting u = 6x ± 3 and v = y yields u2 − 3Dv 2 = 24, 2. for k = 4, setting u = 3x + 2 (if t = −x) or u = 3x + 1 (if t = x + 1), and v = y yields u2 − 3Dv 2 = −8, and 3. for k = 6, setting u = 6x ∓ 1 and v = y yields u2 − 3Dv 2 = −8. (The signs in (1) and (3) are to match those in Theorem 2.4.6.) We can then find solutions (x, y) (if any exist) using the procedure of Theorem 2.4.1 (cf. Remark 2.4.4). Now, the MNT strategy for generating ordinary elliptic curves of prime order with embedding degree k = 3, 4, or 6 is the following: repeatedly select small discriminants D and compute solutions (u, v) to equation (2.3) (with T = 24 or T = −8) until the corresponding q = q(x) and r = q(x) + 1 − t(x) are primes of the desired bit length. Then there exists an elliptic curve over Fq with r points and embedding degree 3, 4, or 6, respectively, which can be constructed via the CM method. The search for MNT curves can be sped up slightly by noting that if k = 3, it is necessary that D ≡ 19 (mod 24) [93], and if k = 4 or 6 then necessarily D ≡ 3 (mod 8) and D 6≡ 5 (mod 10). Also, T must be a quadratic residue modulo 3D in all cases. The major downside of MNT curves is that (as noted in Remark 2.4.3) the families obtained are sparse. In fact, Luca and Shparlinski [80, 81] give a heuristic argument that

39 for any upper bound D, there exist only a finite number of MNT curves with discriminant D ≤ D, with no bound on the field size! On the other hand, specific sample curves of cryptographic interest have been found, such as MNT curves of 160-bit, 192-bit, or 256-bit prime order (see, for example, [101] and [112]).

2.4.2

Extensions of the MNT strategy

The MNT strategy has been extended by Scott and Barreto [113], and by Galbraith, McKee and Valen¸ca [46], by allowing a small constant-size cofactor h. Starting out with (2.2), Scott and Barreto [113] fix small integers h and d and substitute r = Φk (t − 1)/d and t = x + 1, to obtain the equation Dy 2 = 4h

Φk (x) − (x − 1)2 . d

(2.7)

As the right-hand side is quadratic in x for k = 3, 4, or 6, just as with MNT curves we can transform (2.7) into a generalized Pell equation of the form (2.3) by an appropriate linear substitution of x. Subsequently, the MNT strategy can be applied to find curves with embedding degrees k = 3, 4, or 6 of almost-prime order. Galbraith, McKee and Valen¸ca [46] give a complete characterization of curves with embedding degree 3, 4 and 6 with cofactors 2 ≤ h ≤ 5. This is achieved by mimicking the Miyaji-Nakabayashi-Takano proof of Theorem 2.4.6, but substituting hr for #E(Fq ), followed by an explicit (but tedious) analysis for h = 2, 3, 4, 5. Just as in the prime-order case, all resulting parametrizations for t are linear in x, and all resulting parametrizations for q are quadratic in x, so that the resulting CM equations Dy 2 = 4q(x) − t(x)2 are quadratic in x and allow for a transformation into generalized Pell equations. Given the nature of the solutions of Pell equations, we once again obtain sparse families.

2.5

Complete families of pairing-friendly curves Once again, we start out with the CM equation Dy 2 = 4q(x) − t(x)2 = 4h(x)r(x) − (t(x) − 2)2

(2.8)

and search for polynomials t(x), r(x), q(x) that satisfy certain divisibility conditions and for which the CM equation has infinitely many solutions (x, y). The constructions in this section work by choosing the parameters D, t(x), r(x), q(x) such that the right-hand side of

40 the CM equation is always D times a perfect square, and thus the equation is satisfied for every integer x. These constructions thus give complete families of curves in the sense of Definition 2.2.3. There are two principal strategies for constructing complete families, one due to Scott and Barreto [113] and the other due originally to Barreto, Lynn, and Scott [8], and in its fullest generality to Brezing and Weng [19]. Both start in the same way: fix an embedding degree k, choose an irreducible polynomial r(x) ∈ Z[x] such that K = Q[x]/(r(x)) is a number field containing the kth roots of unity, and then choose t(x) to be a polynomial mapping to 1 + ζk , where ζk is a primitive kth root of unity in K. At this point the two strategies diverge. Brezing and Weng use the fact that if K contains a square root of −D, then since r(x) = 0 in K, we can factor the CM equation (2.8) in K as 

  √ √ t(x) − 2 + y −D t(x) − 2 − y −D ≡ 0

mod r(x).

Since t(x) 7→ ζk + 1 ∈ K, it now becomes clear that if we choose y(x) to be a polynomial √ mapping to (ζk − 1)/ −D in K, then the CM equation is automatically satisfied for any x. √ If we do not know that K contains an element of the form −D for some D, then we may apply the Scott-Barreto strategy. This strategy is to take the t(x) and r(x) from above and search (usually via computer) for cofactors h(x) that make the right-hand side of the CM equation (2.8) either a perfect square or a linear factor times a perfect square. The CM equation then becomes Dy 2 = (ax + b)g(x)2 . If a = 0 then we take D = b and y = g(x). If a > 0, we may choose any D and make the substitution x 7→

Dz 2 −b a .

If we then set y = zg(x), the CM equation is automatically

satisfied for any z. In both cases we finish by constructing q(x) as q(x) =


1 t(x)2 + Dy(x)2 . 4

If q(x) represents primes and r(x) has positive leading coefficient, then (t, r, q) represents a complete family of pairing-friendly curves. The success of either strategy depends heavily on the choice of number field K. The obvious choice is to set K to be a cyclotomic field Q(ζ` ) for some ` that is a multiple of

41 k, and define r(x) to be the `th cyclotomic polynomial Φ` (x). Then K contains the kth roots of unity. Furthermore, it is a standard result of the theory of cyclotomic fields that K q √ √ contains −1 if 4 | `, K contains −2 if 8 | `, and K contains ( −1 p )p for any odd prime p dividing `. Thus, for any k and D we can use a cyclotomic field in the Brezing-Weng construction; see Murphy and Fitzpatrick’s work [96] for more details. We call families constructed in this manner “cyclotomic families,” and we discuss some of the most efficient constructions in Section 2.5.1 below. We may achieve even better success by choosing K to be a (perhaps trivial) extension of a cyclotomic field, with r(x) not a cyclotomic polynomial. There are two ways of creating such an extension. The first is to make the substitution x 7→ u(x) for some polynomial u. If Φ` (u(x)) is irreducible we have gained nothing, but if Φ` (u(x)) factors as r1 (x)r2 (x) with r1 irreducible, then we may set K = Q[x]/(r1 (x)). Then K is a field containing the `th √ roots of unity, and u(x) maps to an `th root of unity in K. If we know that −D ∈ Q(ζ` ), √ then −D ∈ K as well, and we may use the Brezing-Weng construction; otherwise we may apply the Scott-Barreto construction. The second method, due to Kachisa, Schaefer, and Scott [62] is to find a non-cyclotomic polynomial r(x) such that K = Q[x]/(r(x)) is isomorphic to the cyclotomic field Q(ζ` ). Such a polynomial r(x) can be computed as the minimal polynomial of a random element of Q(ζ` ). Given this r(x), we can find a polynomial t(x) mapping to 1 + ζk in K and proceed as in the Brezing-Weng method. Since nontrivial factorizations of Φ` (u(x)) are rare for random u(x) and, furthermore, the q(x) produced by the Kachisa-Schaefer-Scott technique do not usually represent primes, we will call families of curves obtained by either of these techniques “sporadic” families; they are discussed in Section 2.5.2 below. Although such families are rare, they may have better ρ-values than curves constructed using a cyclotomic field. This was most spectacularly demonstrated by Barreto and Naehrig [9], who used this method to construct curves of prime order with embedding degree 12 (Example 2.5.7 below).

2.5.1

Cyclotomic families

Barreto, Lynn, and Scott [8], and independently, Brezing and Weng [19], both observed that if we apply the Cocks-Pinch method but parametrize t, r, q as polynomials, then we can improve on this value of ρ. Brezing and Weng stated the construction in greatest generality;

42 their theorem is below. Theorem 2.5.1 ([19]). Fix a positive integer k and a positive square-free integer D. Execute the following steps. 1. Find an irreducible polynomial r(x) ∈ Z[x] with positive leading coefficient such that √ K = Q[x]/(r(x)) is a number field containing −D and the cyclotomic field Q(ζk ). 2. Choose a primitive kth root of unity ζk ∈ K. 3. Let t(x) ∈ Q[x] be a polynomial mapping to ζk + 1 in L. √ 4. Let y(x) ∈ Q[x] be a polynomial mapping to (ζk − 1)/ −D in L. (So, if s(x) maps √ to −D then y(x) ≡ (2 − t(x))s(x)/D mod r(x).) 5. Let q(x) ∈ Q[x] be given by (t(x)2 + Dy(x)2 )/4. If q(x) represents primes, then the triple (t(x), r(x), q(x)) represents a family of curves with embedding degree k and discriminant D. The ρ-value for this family (Definition 2.2.6) is ρ(t, r, q) =

2 max{deg t(x), deg y(x)} . deg r(x)

Since we can always choose t(x) and y(x) to have degree strictly less than r(x), we see that this method can produce families with ρ-values strictly less than 2. In general, we expect the smallest possible degree for t(x) and y(x) to be deg(r) − 1, so ρ will not be much less than 2. However, for certain clever choices of the number field K, we may construct polynomials t and y with smaller degree, thus improving the ρ-value. We will now examine in detail some constructions for certain sets of k. Barreto, Lynn, and Scott [8] gave the first construction along the lines of Theorem 2.5.1. They construct families by taking the polynomial r(x) defining the number field K to be the kth cyclotomic polynomial, choosing ζk 7→ x in K (so t(x) = 1 + x),† and using √ the fact that if k is divisible by 3 then −3 ∈ K. Brezing and Weng [19] set r(x) to be a cyclotomic polynomial Φ` (x) for some ` that is a multiple of the desired embedding degree k and choosing various representatives for ζk in Q[x]/(r(x)). The discriminants D in these †

Here and in the following examples, for α ∈ K and f (x) ∈ Q[x] we use the notation α 7→ f (x) to mean that f (x) represents α in K = Q[x]/(r(x)).

43 constructions are often taken to be 1 or 3. The tricky part of most of these constructions is ensuring that the resulting q(x) represents primes. The constructions we present in this section are generalizations of constructions already existing in the literature. Construction 2.5.2 is based on an example of Brezing and Weng [19, §3, Example 3], while Constructions 2.5.3 and 2.5.4 adapt this example to even embedding degrees k. Construction 2.5.5 generalizes examples of Brezing and Weng [19, §3, Example 4] and Barreto, Lynn, and Scott [8, §3.1]. Finally, Construction 2.5.6 generalizes examples of Brezing and Weng [19, §3, Example 5] and Murphy and Fitzpatrick [96, Example 2.2.2 and §4.4]. We begin with a construction given by Brezing and Weng, who state the construction for prime embedding degrees k; we observe that the construction extends readily to all odd √ k. We choose K to be a cyclotomic field containing a fourth root of unity −1, so we may choose D = 1. ∼ Construction 2.5.2 ([19]). Let k be odd, and let r(x) = Φ4k (x), so K = Q[x]/(r(x)) = √ Q(ζ4k ). We choose ζk 7→ −x2 (so t(x) = 1 − x2 ) and −1 7→ xk . The Brezing-Weng method (Theorem 2.5.1) then gives  1 (−x2 + 1)2 + (x2 + 1)2 x2k 4  1  2k+4 2k+2 2k 4 2 x + 2x + x + x − 2x + 1 . = 4

q(x) =

(2.9)

Since q(1) = 1, if q is irreducible then it represents primes. Computations with PARI [102] show that q(x) is irreducible for odd k < 200, and we conjecture that q(x) is irreducible for all odd k. We conclude that for odd k < 200 (and conjecturally for all odd k), (t, r, q) represents a complete family of curves with embedding degree k and discriminant 1. The ρ-value for this family is deg q/ deg Φ4k = (k + 2)/ϕ(k). We next observe that if k is odd, then ζ2k = −ζk . Thus if we change the sign of the polynomials representing ζk in Construction 2.5.2, the same construction can be used to create families with embedding degree 2k and the same ρ-values. Construction 2.5.3. Let k be odd. Changing the sign of ζk in Construction 2.5.2 gives r(x) = Φ4k (x), t(x) = x2 + 1,  1  2k+4 q(x) = x − 2x2k+2 + x2k + x4 + 2x2 + 1 . 4

44 Then (t, r, q) represents a potential family of pairing-friendly elliptic curves with embedding degree 2k and discriminant 1. If x is odd, then q(x) is an integer. Since q(x) is the reverse of the polynomial given in (2.9), q(x) is irreducible if and only if (2.9) is. Thus (t, r, q) represents a family of curves for odd k < 200, and we conjecture for all k. The ρ-value for this family is (k + 2)/ϕ(k); in terms of the embedding degree k 0 = 2k the ρ-value is (k 0 /2 + 2)/ϕ(k 0 ). With the same setup, using ζ4k =

√

ζ2k gives the following construction.

Construction 2.5.4. Let k be odd. Using ζ4k 7→ x in Construction 2.5.2 gives r(x) = Φ4k (x), t(x) = x + 1,  1  2k+2 x − 2x2k+1 + x2k + x2 + 2x + 1 . q(x) = 4 Then (t, r, q) represents a potential family of pairing-friendly elliptic curves with embedding degree 4k and discriminant 1. Since q(1) = 1, if q is irreducible then it represents primes. Computations with PARI [102] show that q(x) is irreducible for odd k < 200, and we conjecture that q(x) is irreducible for all odd k. Thus (t, r, q) represents a family of curves for odd k < 200, and we conjecture for all k. The ρ-value for this family is (k + 1)/ϕ(k); in terms of the embedding degree k 0 = 4k the ρ-value is (k 0 /2 + 2)/ϕ(k 0 ). We now consider families constructed by choosing K to be a cyclotomic field containing √ a cube root of unity. Such fields contain −3, so we may choose D = 3. Some constructions of this form have been given by Barreto, Lynn, and Scott [8] and Brezing and Weng [19] for certain values of k; we consider the construction for all k, and discover families in all cases where k is not divisible by 18. Construction 2.5.5. Let k be any positive integer, let ` = lcm(6, k), and let r(x) = Φ` (x). √ We work in the field Q(ζk , ζ6 ), defined as K ∼ = Q[x]/(Φ` (x)). In this field we have −3 7→ 2x`/6 − 1. Our goal is to use the relation x`/3 = x`/6 − 1 mod r(x) to minimize the degree √ of y(x) = (ζk − 1)/ −3. The obvious choice is ζk 7→ x`/k ; however, in many cases we can do better by choosing ζk 7→ xa with a only slightly larger than `/6. Since x is a primitive `th root of unity, for xa to be a primitive kth root of unity we need gcd(a, `) = `/k. The exact choice depends on the congruence class of x modulo 6:

45 • k ≡ 1 (mod 6), ` = 6k: Since 2k + 1 ≡ 3 (mod 6), x2k+1 is a primitive 2kth root of unity. Since k is odd, −x2k+1 is a primitive kth root of unity. Thus we choose ζk 7→ −x2k+1 ≡ −xk+1 + x mod r(x). • k ≡ 2 (mod 6), ` = 3k: We have k + 1 ≡ 3 (mod 6), so we choose ζk 7→ xk+1 ≡ xk/2+1 − x mod r(x). • k ≡ 3 (mod 6), ` = 2k: Since x2k/3 is a cube root of unity and 3 | k, we need to multiply x2k/3 by a primitive kth root of unity. Since k is odd and x is a 2kth root of unity, −x is a kth root of unity. Thus we choose ζk 7→ −x2k/3+1 ≡ −xk/3+1 + x mod r(x). • k ≡ 4 (mod 6), ` = 3k: Choose ζk 7→ x3 . • k ≡ 5 (mod 6), ` = 6k: We have k + 1 ≡ 0 (mod 6), so we choose ζk 7→ xk+1 . • k ≡ 0 (mod 6), ` = k: Choose ζk 7→ x. If z(x) is the polynomial mapping to ζk , we compute y(x) by taking 13 z(x)(1 − 2x`/6 ) and adding ±2xr(x) to cancel out the leading term if k (mod 6) ∈ {1, 2, 3, 5}. We note that for small values of k the resulting t(x) and y(x) are not completely reduced modulo r(x); however, we find that further reduction leads to a q(x) that does not represent primes. Our choices for ζk and y(x) give the following formulas for q(x), which are valid for all positive k: • k ≡ 1 (mod 6): q(x) = 13 (x + 1)2 (x2k − xk + 1) − x2k+1 . • k ≡ 2 (mod 6): q(x) = 13 (x − 1)2 (xk − xk/2 + 1) + xk+1 . • k ≡ 3 (mod 6): q(x) = 13 (x + 1)2 (x2k/3 − xk/3 + 1) − x2k/3+1 . • k ≡ 4 (mod 6): q(x) = 13 (x3 − 1)2 (xk − xk/2 + 1) + x3 . • k ≡ 5 (mod 6): q(x) = 13 (x2 − x + 1)(x2k − xk + 1) + xk+1 . • k ≡ 0 (mod 6): q(x) = 13 (x − 1)2 (xk/3 − xk/6 + 1) + x. We see that we have deg q = `/3 + 2 in all cases except k ≡ 4 (mod 6), in which case deg q = `/3 + 6. Thus for any k, we have constructed a potential family of pairing-friendly

46 curves with embedding degree k and discriminant 3. The ρ-values of these families are ρ = (`/3 + 6)/ϕ(`) if k ≡ 4 (mod 6), and (`/3 + 2)/ϕ(`) otherwise. It remains to consider whether q(x) represents primes. We can check conditions (4) and (5) of Definition 2.2.1 simultaneously: If k is even then q(1) = 1, if k ≡ 1 or 3 (mod 6) then q(−1) = 1, and if k ≡ 5 (mod 6) then q(−1) = 4 and q(2) is an odd integer. Finally, computations with PARI [102] indicate that the appropriate q(x) is irreducible for all k < 300, except when k is divisible by 18. We conjecture that these polynomials are irreducible for all k not divisible by 18. Next, we consider families obtained by choosing K to be a cyclotomic field containing √ an eighth root of unity. Such fields contain −2, so we may choose D = 2. Brezing and Weng give an example of the construction with k = 18, while Murphy and Fitzpatrick [96] give an example with k = 24. We describe the construction for any k divisible by 3. Construction 2.5.6. Let k be a positive integer divisible by 3. We work in the field ∼ Q[x]/(Φ` (x)), where ` = lcm(8, k). In this field, we have ζk 7→ x`/k Q(ζk , ζ8 ), defined as K = √ (so t(x) = x`/k + 1), and −2 = ζ8 + ζ83 7→ x`/8 + x3`/8 . We choose y(x) to be a polynomial √ mapping to (ζk − 1)/ −2 and compute the reduction of y(x) modulo Φ` (x). Since k is a multiple of 3, we can use the relation x`/3 = x`/6 − 1 to compute y(x) modulo Φ` (x) explicitly, for we have ζk − 1 √ −2

7→ ≡

1 (1 − x`/k )(x3`/8 + x`/8 ) 2 1 (1 − x`/k )(x5`/24 + x`/8 − x`/24 ) 2

We set y(x) equal to this last polynomial. If

` k

+

5` 24

mod Φ` (x).

< ϕ(`) (a condition which holds

whenever 3 | k, k ≥ 18, and k has at most two prime factors greater than 3), then y(x) is √ the minimal-degree representative of (ζk − 1)/ −2 modulo Φ` (x), and we may set  1  `/k 2(x + 1)2 + (1 − x`/k )2 (x5`/24 + x`/8 − x`/24 )2 . 8
5` The degree of q is thus 2` k + 12 . We observe that q(1) = 1 for any k; computations with q(x) =

PARI show that q(x) is irreducible when 3 | k and k < 200, and we conjecture that q(x) is irreducible for all such k. Thus for these values of k, (x`/k + 1, Φ` (x), q(x)) represents a family of curves with embedding degree k. The ρ-value of this family is ( 5k 6 + 4)/ϕ(k) if k is odd, and ( 5k 12 + 2)/ϕ(k) if k is even.

47

Table 2.1: Families of pairing-friendly elliptic curves with k ∈ {15, 28, 44} and D = 2. k

`

t(x), q(x)

ρ

t(x) = x28 +x24 −x16 −x12 −x8 +1 15 120

q(x) = 18 (2x56 +4x52 +x50 +2x48 +2x46 −4x44 +x42 −6x40 −4x36 −x30

7/4

+12x28 −2x26 +14x24 −x22 +2x20 −10x16 −10x12 +x10 −8x8 +2x6 +x2 +8)

28

56

t(x) = −x2

23/12

q(x) = 18 (2(x2 −1)2 +x14 (x2 +1)2 (x14 +1)2 ) 44

88

t(x) = −x2

7/4

q(x) = 18 (2(x2 −1)2 +x22 (x2 +1)2 (x22 +1)2 )

Construction 2.5.6, while stated only for k divisible by 3, can be carried out for any √ positive integer k, setting y(x) to be the minimal-degree representative for (ζk − 1)/ −2 in K. However, unlike the case of Construction 2.5.5, the expressions for q(x) when k is not divisible by 3 or when

` k

+

5` 24

≥ ϕ(`) become too complicated to enumerate explicitly in

general. Furthermore, in some cases the construction may not give a family of curves; for example, if k = 20 the q(x) given by the construction never takes integer values. Potential families for a few selected values of k are given in Table 2.1.

2.5.2

Sporadic families of Brezing-Weng curves

Brezing and Weng only consider cyclotomic polynomials r(x) for their constructions, but in some cases using non-cyclotomic polynomials r(x) that define (perhaps trivial) extensions of cyclotomic fields may turn out to be even more effective. One method for constructing such extensions is to substitute x 7→ u(x) in the cyclotomic polynomial Φ` (x), where u(x) is some polynomial. If Φ` (u(x)) is irreducible, as is usually the case, going to the extension field will give us no advantage, as we will just be substituting x 7→ u(x) in t, r, and q. However, if Φ` (u(x)) factors, we may gain some advantage. Galbraith, McKee and Valen¸ca [46] have analyzed the factorizations of Φ` (u(x)) when u is quadratic and Φ` has degree 4. For ` = 8 there are no quadratic u such that Φ8 (u(x)) factors. For ` = 5, 10, there is a one-dimensional family of such u, parametrized be the rational points of a rank-one elliptic curve over Q. However, since Q(ζ5 ) = Q(ζ10 ) has no quadratic imaginary subfields, we cannot use Theorem 2.5.1 to construct a complete family

48 using such a factorization. Finally, for ` = 12 there are two such u(x). Barreto and Naehrig constructed pairingfriendly curves of prime order using one such factorization. Example 2.5.7 (Barreto-Naehrig curves [9]). Galbraith, McKee and Valen¸ca [46] discovered that if u(x) = 6x2 , then Φ12 (u(x)) = r(x)r(−x), where r(x) = 36x4 + 36x3 + 18x2 + √ 2 − 1 we 6x + 1. If we set K = Q[x]/(r(x)), then ζ12 7→ 6x2 in K, and using −3 = 2ζ12 compute y(x) = 6x2 + 4x + 1 and q(x) = 36x4 + 36x3 + 24x2 + 6x + 1. Since q(x) and r(x) have the same degree and leading coefficient, r(x) is actually the number of points on the elliptic curve to be constructed. Thus if q(x) and r(x) are both prime for some value of x, then the elliptic curve constructed will have prime order. A computer search for further factorizations of Φk (u(x)) for various values of k and degrees of u found the following example. Example 2.5.8. Let k = 8. If u(x) = 9x3 + 3x2 + 2x + 1, then Φ8 (u(x)) has an irreducible factor r(x) = 9x4 + 12x3 + 8x2 + 4x + 1. Setting D = 1 and K = Q[x]/(r(x)), we choose √ ζ8 7→ −u(x) and −1 = ζ82 7→ −18x3 − 15x2 − 10x − 4 mod r(x). Applying Theorem 2.5.1, we compute t(x) = −9x3 − 3x2 − 2x
1 81x6 + 54x5 + 45x4 + 12x3 + 13x2 + 6x + 1 . q(x) = 4 Since q(1) = 53 and q(−1) = 17 are distinct primes, q(x) represents primes. We conclude that (t, r, q) represents a family of curves with embedding degree 8. The ρ-value for this family is 3/2, which is worse than ρ = 5/4 given by Construction 2.5.5. However, curves with D = 1 have an automorphism of order 4, and since k is a multiple of 4 we may take advantage of this “quartic twist” to map points P ∈ E(Fq8 ) down to the field Fq2 , thus speeding up the pairing computation (see [56, §5]). Kachisa, Schaefer, and Scott [62], building on the work of Kachisa [61], give a different strategy for constructing non-cyclotomic polynomials that define a cyclotomic field. Their strategy is to choose elements β ∈ Q(ζ` ) that can be written as an integer linear combination of a power basis with small coefficients, and let r(x) be the minimal polynomial of β. Since ∼ most elements of Q(ζ` ) do not lie in a proper subfield, in most cases we have Q[x]/(r(x)) = Q(ζ` ). We can then proceed as in the Brezing-Weng method.

49 Which β and which kth root of unity modulo r(x) to choose are determined by computer search; the resulting polynomial q(x) should have a degree low enough such that we obtain an attractive ρ-value. In practice we find that most polynomials q(x) generated by the construction have large denominators, so it is rare for these polynomials to take integer values. Yet favorable polynomials do exist, as the following examples show. We give one example below; others can be found in [62]. Example 2.5.9 ([62]). Let k = ` = 16. We set β = −2z 5 +z, which has minimal polynomial r(x) = x8 + 48x4 + 625. In Q[x]/(r(x)), we use ζ16 7→

1 5 35 (2x

+ 41x), so

t(x) = We use

√


1 2x5 + 41x + 35 . 35

1 −1 7→ − 71 (x4 + 24). We get y(x) = − 35 (x5 + 5x4 + 38x + 120) and

q(x) =


1 x10 + 2x9 + 5x8 + 48x6 + 152x5 + 240x4 + 625x2 + 2398x + 3125 . 980

The polynomial q(x) is irreducible. We find that both q(x) and t(x) are integers if and only if x ≡ ±25 (mod 70). In addition, gcd({q(±25 + 70n) : n ∈ Z}) = 1, so q represents primes. Thus (t, r, q) represents a family of curves with embedding degree 16. The ρ-value of this family is 5/4.

2.5.3

Scott-Barreto families

To employ the strategy of Scott and Barreto [113], we again take K to be an extension √ of a cyclotomic field, but this time we do not assume that K contains an element −D. If we choose t(x) to be any polynomial and r(x) to be an irreducible factor of Φk (t(x) − 1), then Q[x]/(r(x)) defines an extension of a cyclotomic field. We then search for an h(x) that makes the right hand side of the CM equation Dy 2 = 4h(x)r(x) − (t(x) − 2)2 take the form of a linear factor times a perfect square. Below we give some examples of this method that achieve ρ-values less than 2 with (nearly) arbitrary D. These examples are due to Mike Scott, who found them by fixing k and executing a computer search through the space of possible t(x) and h(x).

50 Example 2.5.10. Let k = 4 . Take t(x) = x+1, r(x) = Φ4 (x) = x2 +1, h(x) = (x+13)/25. Then the CM equation becomes Dy 2 = =

4 (x + 13)(x2 + 1) − (x − 1)2 25 1 (4x + 3)(x + 3)2 . 25

If we substitute x = (Dz 2 − 3)/4, the right hand side becomes D times a square, and we find q(x) =


1 x3 + 13x2 + 26x + 13 . 25

The ρ-value for this family is 3/2. We observe that q(x) is an integer if and only if x ≡ 2 (mod 5), and since x = (Dz 2 − 3)/4 we conclude that D ≡ 11 or 19 (mod 20). Example 2.5.11. Let k = 6. Take t(x) = −4x2 + 4x + 2, r(x) = Φ6 (t(x) − 1) = 16x4 − 32x3 + 12x2 + 4x + 1, h(x) = x/4. Then the CM equation becomes Dy 2 = x(4x2 − 6x + 1)2 . If we substitute x = Dz 2 , the right hand side becomes D times a square, and we find q(x) = 4x5 − 8x4 + 3x3 − 3x2 +

17 x + 1. 4

The ρ-value for this family is 5/4. Setting D = 3 in Example 2.5.11 would be ideal in terms of performance, for curves with D = 3 have sextic twists [9] that would allow both inputs to the pairing to be given over Fq . Unfortunately, the polynomial r(3z 2 ) factors into two degree-four polynomials in z, so r(3z 2 ) can never be prime. However, the construction does produce curves with ρ ≈ 5/4 for many other values of D.

51

Chapter 3

New Constructions of Pairing-Friendly Elliptic Curves 3.1

Elliptic curves with embedding degree 10. In this section we use the framework of Chapter 2, and in particular the theory of

“sparse families” described in Section 2.4, to construct elliptic curves of prime order with embedding degree 10. This result also appears in [37]. As in Chapter 2, we are looking for polynomials t(x), r(x), q(x) that parametrize the trace, subgroup size, and field size (respectively) of elliptic curves with prescribed embedding degree. Since we want the curves to have prime order, r(x) must be the full group size of the curve, and the three polynomials must satisfy r(x) = q(x) + 1 − t(x). Furthermore, the CM equation Dy 2 = 4q(x) − (t(x))2 = 4r(x) − (t(x) − 2)2 must have an infinite number of solutions. As we showed in Proposition 2.4.5, this can only happen if the right hand side f (x) = 4r(x) − (t(x) − 2)2 is quadratic or has a multiple root. Since r(x) must be an irreducible factor of Φk (t(x) − 1), where Φk is the kth cyclotomic polynomial, the following lemma suggests that a quadratic f (x) occurs naturally only in the cases k = 3, 4, or 6. Lemma 3.1.1. Fix k, let t(x) be a polynomial, and let r(x) be an irreducible factor of Φk (t(x) − 1). Then the degree of r is a multiple of ϕ(k), where ϕ is the Euler phi function.

52 Proof. Suppose t(x) has degree d, so deg Φk (t(x) − 1) = dϕ(k). Let θ be a root of r(x) in Q, and let ω = t(θ)−1. Then Φk (ω) = 0, so ω is a primitive kth root of unity. We thus have the inclusion of fields Q(θ) ⊃ Q(ω) ⊃ Q. Since [Q(θ) : Q] = deg r(x) and [Q(ω) : Q] = ϕ(k), we conclude that ϕ(k) divides deg r(x). Our key observation is that since construction of a sparse family requires f (x) = 4r(x) − (t(x) − 2)2 to be quadratic (see Theorem 2.4.1) and Lemma 3.1.1 implies that deg r(x) ≥ ϕ(k), if k > 6 we must choose r(x) and t(x) in such a way that the high-degree terms of t(x)2 cancel out those of 4r(x). In particular, the degree of t(x) must be half the degree of r(x). We have discovered that for k = 10 there is a choice of r(x) and t(x) such that this is possible. The resulting construction of elliptic curves with embedding degree 10 solves an open problem posed by Boneh, Lynn, and Shacham [17, §4.5]. We begin by noting that in the case k = 10, Lemma 3.1.1 tells us that the smallest possible degree of r(x) is ϕ(10) = 4. Thus to get the high-degree terms of t(x)2 to cancel out those of 4r(x) in this smallest case we must choose t(x) to be quadratic, and furthermore Φ10 (t(x) − 1) must have a degree-4 factor. It happens that for k ∈ {5, 8, 10, 12}, Galbraith, McKee, and Valen¸ca [46] have characterized all quadratic t(x) such that Φk (t(x) − 1) factors into two irreducible quartic polynomials. In the case k = 10 they show that there is an infinite set of t(x) such that this factorization occurs, and that these t(x) are parametrized by the rational points of a certain rank-1 elliptic curve. By experimenting with some of the examples given by Galbraith, McKee, and Valen¸ca, we discovered that t(x) = 10x2 + 5x + 3 leads to a quadratic f (x). Theorem 3.1.2. Fix a positive square-free integer D relatively prime to 15. Define t(x), r(x), and q(x) by t(x) = 10x2 + 5x + 3 r(x) = 25x4 + 25x3 + 15x2 + 5x + 1 q(x) = 25x4 + 25x3 + 25x2 + 10x + 3. If the equation u2 − 15Dv 2 = −20 has a solution with u ≡ 5 (mod 15), then (t, r, q) represents a sparse family of curves with embedding degree 10. Proof. It is easy to verify that conditions (1)–(4) of Definition 2.2.3 (i) hold. Condition (5) requires an infinite number of integer solutions to Dy 2 = f (x), where f (x) = 4q(x) − t(x)2 .

53 The key observation is that for this choice of t and n, f (x) = 4q(x) − t(x)2 = 15x2 + 10x + 3. Multiplying by 15 and completing the square transforms the equation we wish to solve into D0 y 2 = (15x + 5)2 + 20, where D0 = 15D. Integer solutions to this equation correspond to integer solutions to u2 − D0 v 2 = −20 with u ≡ 5 (mod 15). By Theorem 2.4.1, if one such solution exists then an infinite number exist, so (t, r, q) represents a family of curves with embedding degree 10. Since the solutions grow exponentially, this family is sparse (cf. Remark 2.4.3). To use Theorem 3.1.2 to construct curves with embedding degree 10, we choose a D and search for solutions to the equation u2 − 15Dv 2 = −20 that give prime values for q and r. The following lemma, proposed by Mike Scott, speeds up this process by restricting the values of D that we can use. Lemma 3.1.3. Let q(x) be as in Theorem 3.1.2. If (x, y) is an integer solution to Dy 2 = 15x2 + 10x + 3 such that q(x) is prime, then D ≡ 43 or 67 (mod 120). Proof. If x ≡ 0 or 2 (mod 3) then q(x) is divisible by 3, while if x is odd then q(x) is even. Thus if q(x) is prime, then x ≡ 4 (mod 6). To deduce the stated congruence for D, we consider the equation Dy 2 = 15x2 +10x+3 modulo 3, 5, and 8. To begin, we have Dy 2 ≡ x ≡ 1 (mod 3), so D ≡ 1 (mod 3). Next, we have Dy 2 ≡ 3 (mod 5), so y 2 ≡ 1 or 4 (mod 5) and D ≡ 2 or 3 (mod 5). Finally, since x is even we see that Dy 2 ≡ 3 (mod 8), and thus y 2 ≡ 1 (mod 8) and D ≡ 3 (mod 8). Combining these results via the Chinese remainder theorem, we conclude that D ≡ 43 or 67 (mod 120). After reading an earlier version of this work [36], Mike Scott used Theorem 3.1.2 and Lemma 3.1.3 to find examples of elliptic curves with embedding degree 10 via the following algorithm. Algorithm 3.1.4. Let (t, r, q) be as in Theorem 3.1.2. The following algorithm takes inputs MaxD, MinBits, and MaxBits, and outputs pairs (D, x0 ) such that D < MaxD, the number of bits in q(x0 ) is between MinBits and MaxBits, and q(x0 ) and r(x0 ) are both prime.

54 1. Set D to be a positive integer such that D ≡ 43 or 67 (mod 120) and 15D is square free. 2. Use the continued fraction algorithm [75] to compute a fundamental unit γ of the ring √ of integers in Q( 15D). Set δ ← γ 2 if γ has norm −1, δ ← γ otherwise. 3. Use the algorithm of Lagrange, Matthews [83], and Mollin [94, Chapter 5] to find fundamental solutions (u, v) to the equation u2 − 15Dv 2 = −20. (See also [105].) 4. For each fundamental solution (u, v) found in (3): (a) If log2 u > (MaxBits + 11)/4, go to the next fundamental solution. (b) If u ≡ ±5 (mod 15) and log2 u > (MinBits + 11)/4, then: i. Set x0 ← (−5 ± u)/15. ii. If q(x0 ) and r(x0 ) are prime, output (D, x0 ). √ √ (c) Write δ(u + v 15D) = u0 + v 0 15D. Set u ← u0 , v ← v 0 , and return to step (a). 5. Increase D. If D < MaxD, return to step (1); otherwise terminate. The bounds on log2 u in Step (4) can be explained as follows: since q(x) = 25x4 +O(x3 ) and x = (−5 ± u)/15, q(x) grows roughly like u4 /2025. We conclude that log2 q(x) ≈ 4 log2 u − 11, so we require u in the algorithm to satisfy MinBits + 11 MaxBits + 11 < log2 u < . 4 4

(3.1)

In our description of Algorithm 3.1.4, the specific parameters of Theorem 3.1.2 have allowed us to simplify the procedure described in the proof of Theorem 2.4.1. The requirement that 15D be square free implies that w = 1, and the fact that b = 10 is even allows us to remove the factors of 2 in the congruence moduli of equations (2.4). Thus in Step (4) we need only to find (u, v) with u2 − 15Dv 2 = −20 and u ≡ ±5 (mod 15). Given this √ requirement, we see that the only restriction on the unit δ = α + β 15D in Step (4c) is that α 6= 0 (mod 3), which must be true since α2 − 15Dβ 2 = 1. Thus our choice of δ = γ or γ 2 will always give new solutions (u, v) with u ≡ ±5 (mod 15); i.e., the parameter m of Theorem 2.4.1 is equal to 1. In practice the fundamental unit γ computed in Step 2 will usually be very large, in which case we may skip Step (4c) altogether. For example, computations with PARI

55 indicate that when D ≈ 109 , γ has at least 100 bits 99.5% of the time and at least 200 bits 98.9% of the time. Mike Scott ran Algorithm 3.1.4 with inputs MaxD = 2 · 109 , MinBits = 148, and MaxBits = 512; some sample output appears in Appendix A.1. For each (D, x0 ) output by the algorithm, one may then use the CM method (see Section 1.2.4) to construct an elliptic curve over Fq(x0 ) whose number of points is r(x0 ). Since r(x0 ) is prime, by Lemma 1.2.2 this curve has embedding degree 10. Below are two examples of elliptic curves that Scott constructed in this manner. Example 3.1.5. (A 234-bit curve.) Running Algorithm 3.1.4 with D = 1227652867 produces the output x0 = −164286669864814370, from which we compute the 234-bit primes q =

18211650803969472064493264347375950045934254696657090420726230043203803

r =

18211650803969472064493264347375949776033155743952030750450033782306651.

√ The class number of Q( −D) is 5328. The CM method produces the curve E over Fq given by y 2 = x3 − 3x + 15748668094913401184777964473522859086900831274922948973320684995903275.

Then E/Fq has r points and embedding degree 10. Example 3.1.6. (A 252-bit curve.) Running Algorithm 3.1.4 with D = 1039452307 produces the output x0 = −4009700747060840276, from which we compute the 252-bit primes q =

6462310997348816962203124910505252082673338846966431201635262694402825461643

r =

6462310997348816962203124910505252082512561846156628595562776459306292101261.

√ The class number of Q( −D) is 4548. The CM method produces the curve E over Fq given by y 2 = x3 − 3x + 4946538166640251374274628820269694144249181776013154863288086212076808528141.

Then E/Fq has r points and embedding degree 10. Ideally, the bit size of curves with embedding degree 10 should be chosen so that the discrete logarithm in the finite field Fq10 is approximately of the same difficulty as the discrete logarithm problem on an elliptic curve of prime order over Fq . Using the best known discrete logarithm algorithms, this happens when q has between 220 and 250 bits (see Table 1.1 and [13, Chapter 1]). The curves in Examples 3.1.5 and 3.1.6 have been

56 √ selected so that their bit sizes are close to this range and the class numbers of Q( −D) are small enough for the CM method to be effective. In practice, it appears that curves with small embedding degree, prime order, and small CM discriminant D are quite rare. Luca and Shparlinski [80, 81] come to this conclusion for curves with embedding degree 3, 4, or 6 (the MNT curves) through a heuristic analysis of the MNT construction. Since our construction of curves with embedding degree 10 is similar to the MNT construction (cf. Section 2.4.1), a similar analysis should hold for our k = 10 curves. The experimental evidence supports this reasoning: Scott’s execution of Algorithm 3.1.4 with MaxD = 2 · 109 found only 23 curves with prime orders between 148 and 512 bits [111]. Parameters for these curves can be found in Appendix A.1. If we relax the condition on r(x0 ) in Step 4(b)ii of Algorithm 3.1.4 and allow r(x0 ) = hr0 with r0 a large prime and h a small cofactor, then we may find a larger number of suitable curves. Scott also ran this version of the algorithm and found 101 curves with r0 between 148 and 512 bits, h at most 16 bits, and D < 2 · 109 [111]. Some examples can be found in Appendix A.1.

3.1.1

Comparison with prior state of the art

The problem that motivated Boneh, Lynn, and Shacham to seek prime-order elliptic curves with embedding degree 10 is that of producing short digital signatures using their algorithm [17] at a security level equivalent to the Digital Signature Algorithm (DSA) over a 2048-bit prime field. The standards for DSA [6, 30] require DSA signatures over a 2048-bit field Fq to use a 224-bit prime-order subgroup of F× q . It follows that to obtain BonehLynn-Shacham (BLS) signatures at this security level we should work in an elliptic curve subgroup whose order is a prime of at least 224 bits, and the Weil pairing should map this subgroup to a finite field of at least 2048 bits. (This is also the recommended equivalence between DSA and elliptic curve signatures [6, §5.6].) Since the ratio 2048/224 is between 9 and 10, for the most efficient implementation of BLS signatures at this security level we should use curves of prime order with embedding degree 9 or 10. Before our discovery of the family in Theorem 3.1.2, the smallest known ρ-value for a family of elliptic curves with embedding degree 10 was 3/2. This family, which is due to

57 Table 3.1: Elliptic curve parameters for Boneh-Lynn-Shacham signatures with security equivalent to 2048-bit DSA. Family Miyaji-Nakabayashi-Takano (Theorem 2.4.6) Barreto-Lynn-Scott (Construction 2.5.5) Brezing-Weng (Construction 2.5.5) Brezing-Weng (Construction 2.5.5) Brezing-Weng (Equation (3.2), page 57) Barreto-Lynn-Scott (Construction 2.5.5) Barreto-Naehrig (Example 2.5.7) Freeman (Example 3.1.5)

Embedding degree k 6

Field size q (bits) 342

Subgroup size r (bits) 342

Extension field q k (bits) 2052

7

299

224

2091

8

280

224

2240

9

299

224

2688

10

336

224

3360

11

269

224

2957

12

224

224

2688

10

234

234

2340

Brezing and Weng [19, §3, Example 2], has CM discriminant 1 and (t, r, q) given by t(x) = −x6 + x4 − x2 + 2,

r(x) = Φ20 (x),

1 q(x) = (x12 − x10 + x8 − 5x6 + 5x4 − 4x2 + 4). 4 (3.2)

An elliptic curve in this family with a 224-bit prime-order subgroup would be defined over a 336-bit field Fq , and the pairing would map to a 3360-bit field. A BLS signature using such a curve would attain the level of security equivalent to 2048-bit DSA, but the signatures would be 336 bits long. On the other hand, if we implement BLS signatures using the 234-bit prime-order curve of Example 3.1.5, then the pairing maps to a 2340-bit field and signatures are 234 bits long, so the desired security is obtained with a shorter signature. Table 3.1 shows these and several other possibilities for families of elliptic curves with subgroups of at least 224 bits for which the pairing maps to a field of at least 2048 bits. The size of a BLS signature using a curve from this table is the size of the finite field Fq . Note that all of the choices in the table would provide shorter signatures than 2048-bit DSA, which produces signatures of 448 bits.

58 We observe that Barreto-Naehrig curves of prime order with embedding degree 12 can also produce short BLS signatures at this security level. Since the pairing on a 224-bit Barreto-Naehrig curve maps to a larger field than does the pairing on the curve in Example 3.1.5, the public and private keys will be larger and the signature verification may take longer if the Barreto-Naehrig curve is used. However, compression techniques such as those of [9, §3] may be used to reduce these sizes and the complexity of the pairing computation.

3.2

More discriminants in cyclotomic families In this section we describe an extension to the constructions of “complete families” that

we described in Section 2.5. The “cyclotomic” and “sporadic” constructions we described in that section have in common that we first fix a (small) square-free CM discriminant, and then compute the corresponding complete family of curves, all with the same discriminant. We refer to such constructions as basic constructions. Some users, however, might prefer more flexibility with regard to the CM discriminant D. For example, one might view curves with D = 3 suspiciously, as these curves have the unusual property of having an automorphism group of order 6, and the extra structure may be used to aid a future (as yet unknown) discrete logarithm attack. This is an example of the “hard-line” position on security articulated by Koblitz [67]: All parameters for a cryptosystem must always be chosen with the maximal possible degree of randomness, because any extra structure or deviation from randomness might some day be used to attack the system. Users taking this viewpoint will want families of pairing-friendly elliptic curves with variable CM discriminant D. Our main result in this section is Theorem 3.2.1, which, given a family of curves with fixed discriminant, allows us to build a family of curves with variable CM discriminant and the same ρ-value. Thus, combining a basic construction with Theorem 3.2.1 yields a general method for constructing families of curves with variable CM discriminant and ρ < 2. Previous constructions with variable discriminant required either ρ ≥ 2 (cf. Section 2.3) or k ≤ 6 (cf. Section 2.5.3). Note that D is by definition square free, so curves with different CM discriminants D are not isogenous. After presenting our main result, we give examples of variable-discriminant families for any embedding degree k satisfying gcd(k, 24) ∈ {1, 2, 3, 6, 12}. In particular, Constructions

59 3.2.2 and 3.2.6 combine Theorem 3.2.1 with the method of Brezing and Weng to give new families of curves for k ≡ 3 (mod 4) and k ≡ 2 (mod 8), respectively. When k is not divisible by 3, these families have ρ-value smaller than that of any other known variablediscriminant complete family. Furthermore, the families with k ≡ 10 (mod 24) have ρvalue smaller than any other known complete family, with fixed (in advance) or variable discriminant. Recall that a triple of polynomials (t, r, q) is said to represent a potential family of elliptic curves with embedding degree k if it satisfies conditions (2)–(5) of Definition 2.2.3 (i); in particular, q may not represent primes (or be a power of a p(x) that represents primes). Our result says that if the polynomials in a potential family have a certain form, we may obtain families with (nearly) arbitrary discriminant. In particular, this allows us to make D a parameter input at the time of curve construction rather than at the time the polynomials t, r, q are computed. We will then see that in many cases the potential families are actual families in the sense of Definition 2.2.3. Theorem 3.2.1. Suppose (t, r, q) represents a potential family of elliptic curves with em√ ∼ Q[x]/(r(x)), and let y(x) 7→ (ζk − 1)/ −D bedding degree k and discriminant D. Let K = in K as in Theorem 2.5.1. Suppose t, r, and q are even polynomials and y is an odd polynomial. Define r0 , q 0 to be the polynomials such that r(x) = r0 (x2 ) and q(x) = q 0 (x2 ). Then for any integer α such that r0 (αx2 ) is irreducible, there exists a potential family of curves with embedding degree k, discriminant αD, and ρ-value equal to ρ(t, r, q). Proof. We begin by defining polynomials t0 , y 0 such that t(x) = t0 (x2 ) and y(x) = x · y 0 (x2 ). √ Let σ be a root of r(x), so K = Q(σ). Let τ = σ/ α, so τ is a root of r0 (αx2 ). If r0 (αx2 ) is irreducible, we may define L to be the number field Q(τ ) ∼ = Q[x]/(r0 (αx2 )). Then any element of K that can be expressed as an even polynomial g(σ 2 ) is also an element of L. In particular, since t(x) is even and t0 (σ 2 ) − 1 = ζk in K, we have ζk = t0 (ατ 2 ) − 1 in L. Now let β be the element y 0 (σ 2 ) ∈ K; then β = y 0 (ατ 2 ) in L. From the definition of y(x) we have −Dy(σ)2 = −Dσ 2 y 0 (σ 2 )2 = (ζk − 1)2 in K, so −Dσ 2 y 0 (ατ 2 )2 = (ζk − 1)2 in L. Substituting σ 2 = ατ 2 gives −Dατ 2 y 0 (ατ 2 )2 = (ζk − 1)2 ,

60 so we conclude that ζk − 1 τ y 0 (ατ 2 ) = √ −αD in L. A straightforward computation now shows that q 0 (αx2 ) =


1 0 t (αx2 )2 + αD(xy 0 (αx2 ))2 . 4

Since r0 (αx2 ) is irreducible by hypothesis, it satisfies condition (2) of Definition 2.2.3 (i). Thus by Theorem 2.5.1, the triple (t0 (αx2 ), r0 (αx2 ), q 0 (αx2 )) represents a potential family of curves with embedding degree k and discriminant αD. The ρ-value for this family is 2 deg q 0 /2 deg r0 = deg q/ deg r. Theorem 3.2.1 tells us that if t, r, q are even polynomials and polynomial, then the substitution

x2

7→

αx2

√

−D mod r(x) is an odd

usually gives a potential family of curves with

discriminant αD. In practice, if r(x) is irreducible then r0 (αx2 ) is nearly always irreducible, and the difficult part in obtaining true families is ensuring that q 0 (αx2 ) represents primes. Our first application of Theorem 3.2.1 is to the following construction, which improves on Construction 2.5.2 for certain odd values of k. Construction 3.2.2. Let k be odd, D = 1, and K = Q[x]/(Φ4k (x)). If we take ζk 7→ √ (−1)(k+1)/2 xk+1 , so t(x) = 1 + (−1)(k+1)/2 xk+1 , then using −1 7→ xk we have ζk − 1 √ 7→ (1 − (−1)(k+1)/2 xk+1 )xk ≡ (−1)(k+1)/2 x + xk −1

mod Φ4k (x)

(since x2k ≡ −1 mod Φ4k (x)). We may then compute q(x) =

 1  2k+2 x + x2k + 4(−1)(k+1)/2 xk+1 + x2 + 1 . 4

Then (t(x), Φ4k (x), q(x)) represents a complete potential family of curves with embedding degree k and discriminant 1. The ρ-value for this family is deg q/ deg Φ4k = (k+1)/ϕ(k). When k ≡ 1 (mod 4) (i.e., when the middle term of q(x) is negative), q(x) has a factor (x2 − 1)2 , and thus we do not have a family of curves. We conjecture that q(x) is irreducible whenever k ≡ 3 (mod 4), and computations show that the conjecture holds for k < 200. In

61 addition, q(x) is an integer whenever x is odd. Unfortunately, we find that q(x) is always even when x is odd, so q fails condition (5) of Definition 2.2.1 and thus does not represent primes. But all is not lost! We note that t, r, q of Construction 3.2.2 are even polynomials √ and −1 is an odd polynomial, so we may apply Theorem 3.2.1 to make the substitution x2 7→ αx2 in t, r, q. After making this substitution, we may find that the new q(x) does indeed represent primes and thus we get a true family of curves. However, to get even a potential family, we must first show that r(x) is irreducible. We will first need an algebraic lemma. Lemma 3.2.3. Let K = Q(θ) be a number field, and let r(x) be the minimal polynomial of θ. Then for α ∈ K, the polynomial r(αx2 ) is irreducible if and only if αθ is not a square in K. Proof. The proof follows exactly the proof of [46, Lemma 1]. We observe that the argument holds regardless of whether K is Galois. Corollary 3.2.4. Let k be odd, and let α be an non-square integer not dividing k. Then Φk (αx2 ) is irreducible. Proof. Since ζk is a square in Q(ζk ), by Lemma 3.2.3 Φk (αx2 ) is irreducible if and only if α is not a square in Q(ζk ); a sufficient condition for this to occur is α is a non-square integer not dividing k. Theorem 3.2.1 and Corollary 3.2.4 combine to tell us that Construction 3.2.2 leads to potential families of curves with discriminant α for any non-square α - k, and it remains only to check that the new q, which we denote as  1  k+1 2k+2 qα (x) = α x + αk x2k + 4(−α)(k+1)/2 xk+1 + αx2 + 1 , 4 represents primes. If k ≡ 1 (mod 4) then qα (x) always factors, but for k ≡ 3 (mod 4) qα (x) is likely to be irreducible. Other than by checking each value of α and k individually, we have no way of showing that qα (x) represents primes. However, if α ≡ 3 (mod 4) and x is odd, qα (x) is an odd integer, so qα may represent primes. In practice it appears that, for various k and α both congruent to 3 (mod 4), qα (x) does indeed represent primes. We cannot prove this result, but we give one such example below.

62 Example 3.2.5. Let k = 11, α = 19. Applying Theorem 3.2.1 to Construction 3.2.2 with these parameters gives the family t(x) = 196 x12 + 1, r(x) = Φ11 (−19x2 ),
1 q(x) = 1912 x24 + 1911 x22 + 4 · 196 x12 + 19x2 + 1 . 4 This family has embedding degree 11. When x0 = 14593 we find that q(x0 ) is a 265-bit prime and r(x0 ) is a 222-bit prime. The unique curve with CM by the ring of integers in √ Q( −19) has j-invariant −884736 [118, §A.3]; an equation over Fq(x0 ) is given by y 2 = x3 + 12x + 662488133154657423799930884337392831511233568367903219370289497229757469273982875\ 949203830805705576929372735107939.

As in the derivation of Construction 2.5.3 from Construction 2.5.2, we may use the fact that if k is odd then ζ2k = −ζk to derive an analogous construction for embedding degrees that are twice an odd number. Construction 3.2.6. Let k be odd. Changing the sign of ζk in Construction 3.2.2 gives t(x) = 1 − (−1)(k+1)/2 xk+1 , r(x) = Φ4k (x),  1  2k+2 x + x2k − 4(−1)(k+1)/2 xk+1 + x2 + 1 . q(x) = 4 Then (t, r, q) represents a potential family of pairing-friendly elliptic curves with embedding degree 2k, discriminant 1, and ρ-value (k + 1)/ϕ(k). In terms of the embedding degree k 0 = 2k, the ρ-value is thus (k 0 /2 + 1)/ϕ(k 0 ). If k ≡ 3 (mod 4) then q(x) has a factor of (x2 − 1)2 , and if k ≡ 1 (mod 4) then q(x) takes integer values when x is odd, and these values are always even. Substituting x2 7→ αx2 , we get qα (x) =

 1  k+1 2k+2 α x + αk x2k − 4(−α)(k+1)/2 xk+1 + αx2 + 1 . 4

As in Construction 3.2.2, qα (x) is even for α ≡ 1 (mod 4), so we must choose α ≡ 3 (mod 4) if we want qα (x) to represent primes. We illustrate with an example.

63 Example 3.2.7. Let k = 13 and α = 251 (the largest prime factor of 2008). Applying Theorem 3.2.1 to Construction 3.2.6 with these parameters gives the family t(x) = 2517 x14 + 1, r(x) = Φ13 (−251x2 ),
1 25114 x28 + 25113 x26 + 4 · 2517 x14 + 251x2 + 1 . q(x) = 4 This family has embedding degree 26. When x0 = 3255 we find that q(x0 ) is a 437-bit prime and r(x0 ) is a 376-bit prime. We computed the Hilbert class polynomial for the ring √ of integers of Q( −251) in MAGMA [18] and found a root j0 ∈ Fq(x0 ) . The curve with j-invariant j0 is given by y 2 = x3 + x + 8771654111207839181461299134630845125799169816034899811646308950254534117469969\ 458312266776406054404171478315795953474442753849998.

To conclude this section, we note that Constructions 2.5.2 and 2.5.3 satisfy the conditions of Theorem 3.2.1. We make the substitution x2 7→ αx2 , where α is odd, and obtain a potential family of pairing-friendly curves. The discriminant of a curve in this family is α. We also note that Construction 2.5.6 satisfies the conditions of Theorem 3.2.1 when k is not divisible by 8. If k is not divisible by 4 we may choose any odd α; if k is divisible by 4 we must choose α ≡ 1 (mod 4). Since D = 2 in Construction 2.5.6, the discriminant of a curve in the resulting potential family can be any square-free positive integer congruent to 2 mod 4 (if 4 - k) or 2 mod 8 (if 4 | k). We can do the same for the cases presented in Table 2.1; an analysis shows that we can take any α for k = 15 and α ≡ 3 (mod 4) for k = 28 or 44.

3.2.1

Algorithm for generating variable-discriminant families

By combining the substitution x2 7→ αx2 from Theorem 3.2.1 (for some appropriate α) with one of the basic constructions 2.5.2, 2.5.3, 2.5.6, 3.2.2 or 3.2.6, we can generate a family of pairing-friendly curves with variable discriminant D for any k satisfying gcd(k, 24) ∈ {1, 2, 3, 6, 12}. We now give step-by-step instructions for this procedure. 1. Select an embedding degree k with gcd(k, 24) ∈ {1, 2, 3, 6, 12}.

64 2. Select a basic construction from the following list. (Some values of k may offer more than one possibility.) • Construction 2.5.2, if k is odd. • Construction 2.5.3, if k ≡ 2 (mod 4). • Construction 2.5.6, if 3 | k. • Construction 3.2.2, if k ≡ 3 (mod 4). • Construction 3.2.6, if k ≡ 2 (mod 8). 3. Use the selected basic construction to compute polynomials t(x), r(x), q(x) that represent a family of elliptic curves with embedding degree k. 4. Let t0 , r0 , q 0 be polynomials such that t(x) = t0 (x2 ), r(x) = r0 (x2 ), and q(x) = q 0 (x2 ). 5. Select a square-free positive integer α - k such that after the substitution x2 7→ αx2 , the resulting polynomial q 0 (αx2 ) represents primes. This condition requires α to have the following form: • α odd for Constructions 2.5.2, 2.5.3, and 2.5.6 with 4 - k. • α ≡ 1 (mod 4) for Construction 2.5.6 with 4 | k. • α ≡ 3 (mod 4) for Constructions 3.2.2 and 3.2.6. 6. Let D = 2α if Construction 2.5.6 was used, and let D = α otherwise. Then (t0 (αx2 ), r0 (αx2 ), q 0 (αx2 )) represents a family of elliptic curves with embedding degree k and discriminant D. In particular, for values of α and x such that q 0 (αx2 ) is prime, there is an elliptic curve over Fq0 (αx2 ) with a subgroup of order r0 (αx2 ) and embedding degree √ k. If the class number of Q( −D) is less than 105 , the equation for this curve can be computed by the CM method. One setting where this procedure may be useful is if some degree of randomness is desired in the CM discriminant of a pairing-friendly elliptic curve. One can carry out Steps (1)–(4), compute an integer a such that r0 (a) has slightly fewer than the minimum number of bits necessary for the desired security level in the elliptic curve subgroup, and then choose α randomly in [1, a] subject to the constraints of Step (5). One then expects that there should be values of x such that q 0 (αx2 ) is prime and r0 (αx2 ) is a (near-)prime of the desired

65 bit length. These values of x and α can then be used to generate a pairing-friendly curve via the CM method. Note that the Cocks-Pinch method (Theorem 2.3.1) can be used to generate elliptic curves with arbitrary CM discriminant for any embedding degree k. However, the ρ-values of such curves will always be around 2. The advantage of the procedure outlined in this section is that we can vary the CM discriminant and obtain ρ-values strictly less than 2, for many values of k.

66

Chapter 4

Constructing Pairing-Friendly Abelian Varieties 4.1

Introduction In Chapters 2 and 3 we addressed the Motivating Problem of page 4 in the case g = 1

by describing constructions of pairing-friendly elliptic curves. In this chapter we consider the same problem for arbitrary g, and give two methods that produce pairing-friendly abelian varieties of arbitrary dimension. In contrast to the case of elliptic curves, very little is known about pairing-friendly ordinary abelian varieties of dimension g ≥ 2. While there are several existence results [46, 57], until very recently there were no explicit constructions of such varieties. In [38] we presented a method for constructing ordinary, absolutely simple abelian surfaces (g = 2), and there is a construction due to Kawazoe and Takahashi [64] that produces pairingfriendly ordinary abelian surfaces that are simple over Fq but are Fq -isogenous to a product of two isomorphic elliptic curves. Our first main result, Algorithm 4.2.6, generalizes to arbitrary dimension the method of Cocks and Pinch (Theorem 2.3.1) for producing pairing-friendly elliptic curves. The algorithm produces q-Weil numbers π that correspond (in the sense of Honda-Tate theory [122]) to ordinary, absolutely simple abelian varieties having arbitrary embedding degree with respect to a subgroup of (nearly) arbitrary order r. The method works by fixing a CM field K of degree 2g and a primitive CM type Φ on K and using a type norm to construct

67 a q-Weil number π ∈ K that satisfies the conditions of Corollary 1.2.3. It follows that the q-Weil number π is the Frobenius element of a pairing-friendly ordinary abelian variety A of dimension g. If the CM field K is suitably small, CM methods can then be used to produce A explicitly (see Section 1.2.4). In the case g = 2 this method supersedes our result of [38]. This work is joint with Peter Stevenhagen and Marco Streng of Universiteit Leiden (the Netherlands) and appears in [42]. Section 4.3 provides some explicit examples of pairing-friendly abelian varieties constructed by Algorithm 4.2.6. We find that on inputs of cryptographic size, the ρ-values of the varieties produced are very close to 2gb g , where 2b g is the degree of the reflex field of K. (If K is Galois then gb = g, but in general we expect gb to be much larger than g.) This experimental observation agrees with a heuristic analysis of the algorithm’s output. In dimension g = 2 the construction of [38] and that of Algorithm 4.2.6 both lead to ordinary, absolutely simple abelian varieties with ρ ≈ 8. The construction of Kawazoe and Takahashi produces ordinary abelian surfaces with ρ-values between 3 and 4; however, these varieties are not absolutely simple, and thus the construction can be interpreted as producing pairing-friendly elliptic curves over some extension field of Fq . Since all of the constructions of pairing-friendly elliptic curves can produce curves with ρ ≤ 2, in order to make higher-dimensional pairing-friendly abelian varieties appealing to the practitioner we must produce examples with smaller ρ-values. In Section 4.4 we demonstrate the first constructions of pairing-friendly ordinary abelian varieties of dimension g ≥ 2 that are absolutely simple and have ρ-values significantly less than 2gb g . Our second main result, Algorithm 4.4.9, uses the techniques of Section 4.2 to abstract and generalize the method of Brezing and Weng (Theorem 2.5.1) for constructing pairing-friendly elliptic curves. The key idea is to parametrize the subgroup order r and the Frobenius element π as polynomials of a single variable r(x) ∈ Q[x] and π(x) ∈ K[x]. We then extend the type norm to polynomials and construct the polynomial b π(x) as the extended type norm of an element ξ ∈ K[x] that is chosen to have specified b residues modulo factors of r(x) in K[x]. As in the Brezing-Weng method, we compute parameters for individual varieties by finding an x0 for which q(x0 ) = π(x0 )π(x0 ) is prime and r(x0 ) has a large prime factor. Once such an x0 is found, we can use CM methods to construct the abelian variety whose Frobenius element is given by π(x0 ). In Section 4.5 we discuss how to select the parameters in this algorithm to produce the optimal output, and we provide a number of examples of families of ordinary abelian

68 varieties produced by our method. These include several families of abelian surfaces (g = 2) with ρ ≤ 7, including one with embedding degree 5 and ρ ≈ 4, which could be a practical choice for certain security levels. We also demonstrate a family of three-dimensional abelian varieties with ρ ≈ 12. We conclude by discussing avenues for further research in this area.

4.2

Weil numbers yielding prescribed embedding degrees Let Fq be the field of q elements, A a g-dimensional simple abelian variety over Fq , and

K = Q(π) ⊂ EndFq (A) ⊗ Q the number field generated by the Frobenius endomorphism π of A. As we described in Section 1.2.1, π is a q-Weil number in K: an algebraic integer with √ the property that all of its embeddings in Q have complex absolute value q. By HondaTate theory [122], all q-Weil numbers arise as Frobenius elements of abelian varieties over Fq . The q-Weil number π determines the embedding degree of A with respect to a subgroup of prime order r. As we saw in Corollary 1.2.3, if K = Q(π) equals EndFq (A) ⊗ Q and there is an integer k for which r - qk and NK/Q (π − 1) ≡ 0

(mod r),

(4.1)

Φk (ππ) ≡ 0

(mod r),

(4.2)

then A has embedding degree k with respect to r. Thus, we can prove the existence of an abelian variety A with embedding degree k by exhibiting a q-Weil number π ∈ K with these properties. The following lemma states what we need. Lemma 4.2.1. Let π be a q-Weil number and Fq be the field of q elements. Then there exists a unique isogeny class of simple abelian varieties A/Fq with Frobenius π. If K = Q(π) is totally imaginary of degree 2g and q is prime, then such A have dimension g, and K is the full endomorphism algebra EndFq (A) ⊗ Q. If furthermore q is unramified in K, then A is ordinary. Proof. The main theorem of [122] yields existence and uniqueness, and shows that E = EndFq (A) ⊗ Q is a central simple algebra over K = Q(π) satisfying 1

2 · dim(A) = [E : K] 2 [K : Q]. For K totally imaginary of degree 2g and q prime, Waterhouse [128, Theorem 6.1] shows that we have E = K and dim(A) = g. By [128, Proposition 7.1], A is ordinary if and only

69 if π + π is prime to q = ππ in OK . Thus if A is not ordinary, the ideals (π) and (π) have a common divisor p ⊂ OK with p2 | q, so q ramifies in K. Example 4.2.2. Our general construction is motivated by the case where K is a Galois CM field of degree 2g, with cyclic Galois group generated by σ. Here σ g is complex conjugation, so we can construct an element π ∈ OK satisfying πσ g (π) = ππ ∈ Z by choosing any ξ ∈ OK and letting π=

g Y

σ i (ξ).

i=1

For such π, we have ππ = NK/Q (ξ) ∈ Z. If NK/Q (ξ) is a prime q, then π is a q-Weil number in K. Now we wish to impose the conditions (4.1) and (4.2) on π. Let r be a rational prime that splits completely in K, and r a prime of OK over r. For i = 1, . . . , 2g, put ri = σ −i (r); Q then the factorization of r in OK is rOK = 2g i=1 ri . If αi ∈ Fr = OK /ri is the residue class Q of ξ modulo ri , then σ i (ξ) modulo r is also αi , so the residue class of π modulo r is gi=1 αi . Q Furthermore, the residue class of ππ modulo r is 2g i=1 αi . If we choose ξ to satisfy g Y

αi = 1 ∈ Fr ,

(4.3)

i=1

we find π ≡ 1 (mod r) and thus NK/Q (π − 1) ≡ 0 (mod r). By choosing ξ such that in addition ζ=

2g Y i=1

αi =

2g Y

αi

(4.4)

i=g+1

is a primitive k-th root of unity in F× r , we guarantee that ππ = NK/Q (ξ) is a primitive k-th root of unity modulo r. Thus we can try to find a suitable Weil number π by picking residue classes αi ∈ F× r for i = 1, . . . , 2g meeting the two conditions (4.3) and (4.4), computing some “small” lift ξ ∈ OK with (ξ mod ri ) = αi , and testing whether ξ has prime norm. As numbers of moderate size have a high probability of being prime by the prime number theorem, a small number of choices (αi )i should suffice. There are (r − 1)2g−2 ϕ(k) possible choices for (αi )2g i=1 , where ϕ is the Euler phi function, so for g > 1 and large r we are very likely to succeed. For g = 1, there are only a few choices (α1 , α2 ) = (1, ζ), but one can try various lifts and thus recover the Cocks-Pinch algorithm (Theorem 2.3.1) for finding pairing-friendly elliptic curves.

70 For arbitrary CM fields K, the appropriate generalization of the map ξ 7→

g Y

σ i (ξ)

i=1

in Example 4.2.2 is provided by the type norm. A CM type of a CM field K of degree 2g is a set Φ = {φ1 , . . . , φg } of embeddings of K into its normal closure L such that Φ ∪ Φ = {φ1 , . . . , φg , φ1 , . . . , φg } is the complete set of embeddings of K into L. The type norm NΦ : K → L with respect to Φ is the map NΦ : x 7→

g Y

φi (x),

i=1

which clearly satisfies NΦ (x)NΦ (x) = NK/Q (x) ∈ Q.

(4.5)

b If K is not Galois, the type norm NΦ does not map K to itself, but to its reflex field K with respect to Φ. To end up in K, we can however take the type norm with respect to the reflex type Ψ, which we will define now (cf. [115, Section 8]). Let G be the Galois group of L/Q, and H the subgroup fixing K. Then the 2g left cosets of H in G can be viewed as the embeddings of K in L, and this makes the CM type Φ into a set of g left cosets of H for which we have G/H = Φ ∪ Φ. Let S be the union of the b = {γ ∈ G : γS = S} be the stabilizer of left cosets in Φ, and put Sb = {σ −1 : σ ∈ S}. Let H b defines a subfield K b of L, and as we have H b = {γ ∈ G : Sγ b = S} b we can S in G. Then H b inside G. These cosets define a set of embeddings interpret Sb as a union of left cosets of H b into L. We call K b the reflex field of (K, Φ) and we call Ψ the reflex type. Ψ of K b is a CM field, and Ψ is a CM type of K. b The field K b is Lemma 4.2.3. The field K P b generated over Q by the sums φ∈Φ φ(x) for x ∈ K. The type norm NΦ maps K to K. Proof. The first two statements are proved in [115, Chapter II, Proposition 28] (though b differs from ours, because Shimura lets G act from the right). For the the definition of H Q b we have γS = S, so γ Q last statement, notice that for γ ∈ H, φ∈Φ φ(x) = φ∈Φ φ(x). A CM type Φ of K is induced from a CM subfield K 0 ⊂ K if it is of the form Φ = {φ : φ|K 0 ∈ Φ0 } for some CM type Φ0 of K 0 . In other words, Φ is induced from K 0 if and only if S as above is a union of left cosets of Gal(L/K 0 ). We call Φ primitive if it is not induced from a strict subfield of K. Notice that the reflex type Ψ is primitive by definition

71 b and that (K, Φ) is induced from the reflex of its reflex. In particular, if Φ is primitive, of K, b = K, then the reflex of its reflex is (K, Φ) itself. For K Galois and Φ primitive we have K and the reflex type of Φ is Ψ = {φ−1 : φ ∈ Φ}. b has the For CM fields K of degree 2 or 4 with primitive CM types, the reflex field K same degree as K. This fails to be so for g ≥ 3; a proof of this fact appears in [42]. For b is a field of degree 2g generated by a “generic” CM field K the degree of L is 2g g!, and K P p σ(η), with σ ranging over Gal(K0 /Q). σ From (4.5) and Lemma 4.2.3, we see that for every ξ ∈ OKb , the element π = NΨ (ξ) is an element of OK that satisfies ππ ∈ Z. To make π satisfy the conditions of Corollary b The following proposition allows 1.2.3, we need to impose conditions modulo r on ξ in K. b in a way that will be useful for our construction. us to index the factors of r in K Proposition 4.2.4. Let (K, Φ) be a CM type, and let r be a prime that splits completely in b with respect to Φ. Pick K, and therefore in its normal closure L and in the reflex field K a prime R over r in L, and for each ψ ∈ Ψ write rψ = ψ −1 (R), i.e., the inverse image of b → L. Then the complete factorization of r in O b is R under the embedding ψ : K K rOKb =

Y

rψ r ψ .

ψ∈Ψ

b Proof. Let G = Gal(L/Q) and H = Gal(L/K). For each ψ ∈ Ψ, let ψ 0 ∈ G be a b Then for representative of the left coset of H in G that induces the embedding ψ on K. b it follows that σψ 0−1 (R) is a each ψ ∈ Ψ we have rψ = ψ 0−1 (R) ∩ OKb . Since H fixes K, prime of L over rψ for every σ ∈ H, and thus r ψ OL =

Y

σψ 0−1 (R).

σ∈H

If we denote by Ψ the set {ψ : ψ ∈ Ψ}, then Ψ ∪ Ψ is a complete set of coset representatives of H in G. It follows that G = {σψ 0 , σψ 0 : ψ ∈ Ψ, σ ∈ H}, and thus rOL =

Y Y ψ∈Ψ σ∈H

σψ 0−1 (R)σψ 0

−1

(R) =

Y

(rψ OL )(rψ OL ).

ψ∈Ψ

The statement follows by taking the intersection of both sides with OKb . We can now generalize the argument of Example 4.2.2 to arbitrary CM fields K.

72 b Ψ) its reflex. Let r ≡ 1 (mod k) be a Theorem 4.2.5. Let (K, Φ) be a CM type and (K, prime that splits completely in K, and write its factorization in OKb as in Proposition 4.2.4. Given ξ ∈ OKb , write (ξ mod rψ ) = αψ ∈ Fr and (ξ mod rψ ) = βψ ∈ Fr for ψ ∈ Ψ. Suppose that Y

αψ = 1

ψ∈Ψ

and

Y

βψ = ζ

(4.6)

ψ∈Ψ

for some primitive k-th root of unity ζ ∈ F× r . Let π = NΨ (ξ) ∈ OK . Then 1. ππ ∈ Z, 2. NK/Q (π − 1) ≡ 0 (mod r), and 3. Φk (ππ) ≡ 0 (mod r). Proof. Statement (1) follows from the fact that ππ = NK/Q (ξ). Next, let R ⊂ OL be b the prime over r underlying the factorization of Proposition 4.2.4. Since ψ(rψ ) ⊂ R for all ψ ∈ Ψ, the conditions (4.6) imply that π − 1 ∈ OK and Φk (ππ) ∈ Z are both elements of R. Statements (2) and (3) now follow. If the element π in Theorem 4.2.5 generates K and NK/Q (π) is a prime q that is unramified in K, then by Lemma 4.2.1 π is a q-Weil number corresponding to an g-dimensional ordinary abelian variety A over Fq with endomorphism algebra K and Frobenius element π. By Corollary 1.2.3, A has embedding degree k with respect to r. This leads to the following algorithm. Algorithm 4.2.6. Input: a CM field K of degree 2g ≥ 4, a primitive CM type Φ of K, a positive integer k, and a prime r ≡ 1 (mod k) that splits completely in K. Output: a prime q and a q-Weil number π ∈ K corresponding to a g-dimensional ordinary, simple abelian variety A/Fq that has embedding degree k with respect to r. b Ψ) of (K, Φ). Set gb ← 1. Compute a Galois closure L of K and the reflex (K,

1 2

b deg K

and write Ψ = {ψ1 , ψ2 , . . . , ψgb}. 2. Fix a prime R | r of OL , and compute the factorization of r in OKb as in Proposition 4.2.4. 3. Compute a primitive k-th root of unity ζ ∈ F× r .

73 4. Choose random α1 , . . . , αgb−1 , β1 , . . . , βgb−1 ∈ F× r . 5. Set αgb ←

Qgb−1 i=1

αi−1 ∈ F× b←ζ r and βg

Qgb−1 i=1

βi−1 ∈ F× r .

6. Compute ξ ∈ OKb such that (ξ mod rψi ) = αi and (ξ mod rψi ) = βi for i = 1, 2, . . . , gb. 7. Set q ← NK/Q (ξ). If q is not prime, go to Step (4). b 8. Set π ← NΨ (ξ). If q is not unramified in K, or π does not generate K, go to Step (4). 9. Return q and π. Remark 4.2.7. We require g ≥ 2 in Algorithm 4.2.6, as the case g = 1 is already covered by Example 4.2.2, and requires a slight adaptation. The condition that r be prime is for simplicity of presentation only; the algorithm easily extends to square-free values of r that are given as products of splitting primes. Such r are required, for example, by the cryptosystem of Boneh, Goh, and Nissim [16]. An example with an r of this form appears as Example 4.3.9 below. Theorem 4.2.8. If the field K is fixed, then the heuristic expected run time of Algorithm 4.2.6 is polynomial in log r. Proof. The algorithm consists of a precomputation for the field K in Steps (1)–(3), followed b is found that has prime by a loop in Steps (4)–(7) that is performed until an element ξ ∈ K norm q, and we also find in Step (8) that q is unramified in K and the type norm π = NΨ (ξ) generates K. The primality condition in Step (7) is the “true” condition that becomes harder to achieve with increasing r, whereas the conditions in Step (8), which are necessary to guarantee correctness of the output, are so extremely likely to be fulfilled (especially in cryptographic applications where K is small and r is large) that they will hardly ever fail in practice and only influence the run time by a constant factor. As ξ is computed in Step (6) as the lift to OKb of an element ξ ∈ OKb /rOKb ∼ = (Fr )2bg , its norm can be bounded by a constant multiple of r2bg . Heuristically, q = NK/Q (ξ) behaves b as a random number, so by the prime number theorem it will be prime with probability at least (2b g log r)−1 , and we expect that we need to repeat the loop in Steps (4)–(7) about 2b g log r times before finding an element ξ with prime norm q. As each of the steps is polynomial in log r, so is the expected run time up to Step (7), and we are done if we show

74 that the conditions in Step (8) are met with some positive probability if K is fixed and r is sufficiently large. For q being unramified in K, one simply notes that only finitely many primes ramify in the field K (which is fixed) and that q tends to infinity with r, since r divides NK/Q (π −1) ≤ √ ( q + 1)2g . Finally, we show that π generates K with probability tending to 1 as r tends to infinity. To show that K = Q(π), it suffices to show that any automorphism φ of L that fixes π also b Suppose fixes K. Let φ be an automorphism of L. Then the set φ ◦ Ψ is a CM type of K. that the following condition holds: for every vector ~v ∈ {0, 1}gb that is not all 0 or 1, we have

g b Y (αi /βi )vi 6= 1.

(4.7)

i=1

Choose ~v ∈ {0, 1}gb such that vi = 0 if φ ◦ Ψ contains ψi and vi = 1 otherwise. Since αi is (ψi (ξ) mod R) and βi is (ψi (ξ) mod R), it follows that (π/φ(π) mod R) is equal to Qgb vi v = ~0 or ~v = ~1, so i=1 (αi /βi ) . By the assumption (4.7), if this expression is 1 then ~ φ ◦ Ψ = Ψ or φ ◦ Ψ = Ψ. By definition of the reflex, these conditions imply that either φ or φ is trivial on K, which is equivalent to φ acting trivially on the maximal real subfield K0 . It follows that φ either is trivial on K or acts on K by complex conjugation. If the latter holds, then φ(π) = π implies that π is real and q = π 2 , so q ramifies in K. We conclude that if (4.7) holds and q is unramified in K, then φ(π) = π implies that φ is trivial on K, and thus K = Q(π). The set of 2gb − 2 (dependent) conditions in (4.7) on the 2b g − 2 independent random variables αi , βi , 1 ≤ i ≤ gb − 1, is satisfied with probability at least 1 − (2gb − 2)/(r − 1). Since the probability that q is unramified tends to 1 as r tends to infinity, it follows that K = Q(π) with probability tending to 1 as r tends to infinity.

4.3

Performance of Algorithm 4.2.6 and examples Step (6) of Algorithm 4.2.6 uses the Chinese remainder theorem to determine an

element ξ ∈ OKb with the specified residues αi and βi modulo primes over r. In practice, for given r, one lifts a standard basis of O b /rO b ∼ = (Fr )2bg to O b . Multiplying those lifts by K

K

K

integer representatives for the elements αi and βi of Fr , one quickly obtains lifts ξ. We also choose, independently of r, a Z-basis of OKb consisting of elements that are “small” with b We translate ξ by multiples of r to lie in rF , where F is respect to all absolute values of K.

75 b ⊗ R consisting of those elements that have coordinates the fundamental parallelotope in K in (− 21 , 21 ] with respect to our chosen basis. b of all complex absolute values of K b by M b , we If we denote the maximum on F ∩ K K have q = NK/Q (ξ) ≤ (rMKb )2bg . For the ρ-value ρ = g log q/ log r (see page 11), we find b ρ ≤ 2gb g (1 + log MKb / log r),

(4.8)

which is approximately 2gb g if r gets large with respect to MKb . We would like ρ to be small, but this is not what one obtains by lifting random admissible choices of ξ. Theorem 4.3.1. If the field K is fixed and r is large, we expect that 1. the output q of Algorithm 4.2.6 yields ρ ≈ 2gb g , and 2. an optimal choice of ξ ∈ OKb satisfying the conditions of Theorem 4.2.5 yields ρ ≈ 2g. The proof of Theorem 4.3.1 is due to Peter Stevenhagen and Marco Streng, and appears b ⊗R in [42]. The idea is as follows: let Hr,k be the subset of the parallelotope rF ⊂ K consisting of those ξ ∈ rF ∩ OKb that satisfy the two congruence conditions (4.6) for a given embedding degree k. To prove (1), one shows heuristically that a random ξ ∈ Hr,k has NK/Q (ξ) ≈ r2bg . To prove (2), one shows that the smallest value of M for which the b expected number of ξ ∈ Hr,k with NK/Q (ξ) ≤ M is at least 1 is M ≈ r2 . b Open Problem 4.3.2. Find an efficient algorithm to compute an element ξ ∈ OKb satisfying the conditions of Theorem 4.2.5 for which ρ ≈ 2g.

4.3.1

Examples demonstrating the distribution of ρ-values

For very small values of r we are able to do a brute-force search for the smallest q by testing all possible values of α1 , . . . , αgb−1 , β1 , . . . , βgb−1 in Step (4) of Algorithm 4.2.6. We performed two such searches, one in dimension 2 and one in dimension 3. The experimental results support the conclusions of Theorem 4.3.1, that ρ ≈ 2g is possible with a smart choice in the algorithm, and that ρ ≈ 2gb g is achieved with a randomized algorithm. Example 4.3.3. Take K = Q(ζ5 ), and let Φ = {φ1 , φ2 } be the CM type of K defined by φn (ζ5 ) = e2πin/5 . We ran Algorithm 4.2.6 with r = 1021 and k = 2, and tested all possible values of α1 , β1 . The total number of primes q found was 125578, and the distribution of the corresponding ρ-values appears in Figure 4.1. The smallest q found was q = 2023621, giving

76 Figure 4.1: Distribution of ρ-values for pairing-friendly abelian surfaces with CM field Q(ζ5 ) and embedding degree 2 with respect to r = 1021. " 25 000

" 250

20 000

200

15 000

150

10 000

100

5000

50

2

4

6

8

Ρ

2

4

6

8

Ρ

Figure 4.2: Distribution of ρ-values for pairing-friendly abelian surfaces with CM field Q(ζ7 ) and embedding degree 4 with respect to r = 29. " 8000

" 250

6000

200 150

4000

100

2000 0

50

5

10

15

Ρ

0

5

10

15

Ρ

a ρ-value of 4.19. The curve over Fq for which the Jacobian has this ρ-value is y 2 = x5 + 18, and the number of points on its Jacobian is 4092747290896. Example 4.3.4. Take K = Q(ζ7 ), and let Φ = {φ1 , φ2 , φ3 } be the CM type of K defined by φi (ζ7 ) = e2πi/7 . We ran Algorithm 4.2.6 with r = 29 and k = 4, and tested all possible values of α1 , α2 , β1 , β2 . The total number of primes q found was 162643, and the distribution of the corresponding ρ-values appears in Figure 4.2. The smallest q found was q = 911, giving a ρ-value of 6.07. The curve over Fq for which the Jacobian has this ρ-value is y 2 = x7 + 34, and the number of points on its Jacobian is 778417333. Example 4.3.5. Take K = Q(ζ5 ), and let Φ = {φ1 , φ2 } be the CM type of K defined by φi (ζ5 ) = e2πi/5 . We ran Algorithm 4.2.6 with r = 2160 + 685 and k = 10, and tested 220 random values of α1 , β1 . The total number of primes q found was 7108. Of these primes, 6509 (91.6%) produced ρ-values between 7.9 and 8.0, while 592 (8.3%) had ρ-values between 7.8 and 7.9. The smallest q found had 623 binary digits, giving a ρ-value of 7.78.

77

4.3.2

Examples of cryptographic size

We implemented Algorithm 4.2.6 in MAGMA [18] and used it to compute examples of q-Weil numbers π corresponding to pairing-friendly abelian varieties of dimension 2 and 3. We then used CM methods (Section 1.2.4) to find curves whose Jacobians are in the specified isogeny class. We chose the subgroup size r so that the discrete logarithm problem in A[r] is expected to take roughly 280 steps. The embedding degree k is chosen so that rk/g ≈ 1024; this would be the ideal embedding degree for the 80-bit security level if we could construct varieties over Fq with #A(Fq ) ≈ r. p √ Example 4.3.6. Let η = −2 + 2 and let K be the degree-4 Galois CM field Q(η). Let Φ = {φ1 , φ2 } be the CM type of K such that Im(φi (η)) > 0. We ran Algorithm 4.2.6 with CM type (K, Φ), r = 2160 − 1679, and k = 13. The algorithm output the following field size: q

=

31346057808293157913762344531005275715544680219641338497449500238872300350617165 \ 40892530853973205578151445285706963588204818794198739264123849002104890399459807 \ 463132732477154651517666755702167

(640 bits)

There is a single Fq -isomorphism class of curves over Fq whose Jacobians have CM by OK . It has been computed in [124], and the desired twist turns out to be C : y 2 = x5 + 3x4 − 2x3 − 6x2 + 3x + 1. The number of points on Jac(C) is n

=

98257534012085645468742020244740953209785833076897404114476588803802898841721765552063 \ 92181154361818788939054993090072546074938823597526095237976730990371957700656600973040 \ 04394777376859846749722986780002585907720332533316840460187492286611405819671581730435 \ 14025181652565119992502811164589910192157242874099206924648559421700563468599496922882 \ 48425215869986332558945448705570388799388.

The ρ-value of Jac(C) is 7.99. p √ Example 4.3.7. Let η = −30 + 2 5 and let K be the degree-4 non-Galois CM field p √ b is Q(ω) where ω = −15 + 2 55. Let Φ be the CM type of K Q(η). The reflex field K such that Im(φi (η)) > 0. We ran Algorithm 4.2.6 with the CM type (K, Φ), subgroup size r = 2160 − 1445, and embedding degree k = 13. The algorithm output the following field size:

78

q

=

11091654887169512971365407040293599579976378158973405181635081379157078302130927 \ 51652003623786192531077127388944453303584091334492452752693094089192986541533819 \ 35518866167783400231181308345981461

(645 bits)

The Igusa class polynomials for K can be found in the preprint version of [131]. We used the roots of the Igusa class polynomials mod q to construct curves over Fq with CM by OK . As √ K is non-Galois with class number 4 and the real quadratic subfield Q( 5) has class number 1, there are 8 isomorphism classes of curves in 2 isogeny classes [132, Theorem 3.1]. We found a curve C in the correct isogeny class with equation y 2 = x5 + a3 x3 + a2 x2 + a1 x + a0 , with a3

=

37909827361040902434390338072754918705969566622865244598340785379492062293493023 \ 07887220632471591953460261515915189503199574055791975955834407879578484212700263 \ 2600401437108457032108586548189769

a2

=

18960350992731066141619447121681062843951822341216980089632110294900985267348927 \ 56700435114431697785479098782721806327279074708206429263751983109351250831853735 \ 1901282000421070182572671506056432

a1

=

69337488142924022910219499907432470174331183248226721112535199929650663260487281 \ 50177351432967251207037416196614255668796808046612641767922273749125366541534440 \ 5882465731376523304907041006464504

a0

=

31678142561939596895646021753607012342277658384169880961095701825776704126204818 \ 48230687778916790603969757571449880417861689471274167016388608712966941178120424 \ 3813332617272038494020178561119564.

The number of points on Jac(C) is n

=

12302480813607134152353875076989454869931477616234328922193695444353667807283567991245 \ 52289361933877359068792458700186290529504684796804568944080681730157602604572147127022 \ 31288523317856392212671114502267687283901115567591891650298458993321887124003665048523 \ 38670650751419620560388032480624660152147036520126818089716832434307572624148525008152 \ 014578663376649053009947066525621705214049680.

The ρ-value of Jac(C) is 8.06. Example 4.3.8. Let K be the degree-6 Galois CM field Q(ζ7 ), and let Φ = {φ1 , φ2 , φ3 } be the CM type of K such that φn (ζ7 ) = e2πin/7 . We used the CM type (K, Φ) to construct a curve C whose Jacobian has embedding degree 17 with respect to r = 2180 − 7427. There is

79 a unique isomorphism class of curves in characteristic zero whose Jacobians are absolutely simple and have CM by K; these curves are given by y 2 = x7 + a. Algorithm 4.2.6 output the following field size: q

=

15755841381197715359178780201436879305777694686713746395506787614025008121759749726349 \ 37716254216816917600718698808129260457040637146802812702044068612772692590771889662051 \ 56107806823000096120874915612017184924206843204621759232946263357637192516979877402638 \ 9116897144108553148110927632874029911153126048408269857121431033499

(1077 bits)

The equation of the curve C is y 2 = x7 + 10. The number of points on Jac(C) is n

=

39113330703213383903291899165497846707299640282288010371282813488147953692153947662664 \ 87252485974936142264723108321714842103685916400288716182633388935114532835166693330040 \ 95545943359012561774771305526500666604924329553188177699453004555405726433521561627622 \ 61074129109013127264412235930234914768887070866275495725369523589290159648017286825332 \ 13398119756438341220383130961697054012739531362817955056695544923703260402101558162169 \ 27334291487286073498459048447037839938917664864068332436643506359136501666836695077326 \ 30537433609708703129108678808307517651131971076118265117524469717302805274201967349144 \ 38426064159106519721205811641961761227684605183281919001353935798297520311078638711448 \ 72379208464128289504401132185462240908777732195011292231019924327946350840874929691801 \ 70242401172090383352813864799888248813047134539470026093689167970134943800805899022427 \ 48586135077158852852001496833282132349040089907306348248919793635627911951010657055098 \ 159756792889062169576019083.

The ρ-value of Jac(C) is 17.95. We now give an example of an abelian surface that is pairing-friendly with respect to a subgroup whose order is a composite number that is presumed to be infeasible to factor, such as an RSA modulus. Such abelian varieties are required by a number of recent protocols, such as that of Boneh, Goh, and Nissim [16]. Example 4.3.9. Let K = Q(ζ5 ). We chose two random 512-bit primes congruent to 1 mod 5, r1

=

11856688933122306712531807066122238396666465588837749557506570490684144303902813825873 \ 551794459259674597557027194217311490745735797836341219374437395610371,

r2

=

12720953704024996851715009787852970500057783698336479473144274622632461124945698973258 \ 268824071286151997260549018351088484741838683144715708710336086192081,

and set r = r1 r2 . Let Φ = {φ1 , φ2 } be the CM type of K defined by φi (ζ5 ) = e2πi/5 . We used the CM type (K, Φ) to construct a curve C whose Jacobian has embedding degree 1

80 with respect to both r1 and r2 . We ran Steps (4) and (5) of Algorithm 4.2.6 for each of r1 and r2 , and combined the results modulo r in Step (6). This modified algorithm output the field size q

=

15305870577409851876289113028580329836078659930030429240512042343301192834799149144442 \ 05306727371204456305652250167850021083923658534356683194226231182780831326634187879416 \ 14495184031267778964109279448921867740552536616129070354304897783659358739595010718915 \ 11146756371547330497981734382713426984316028382805897839962496228320101227973555854647 \ 04554474469541725082042374935237802651609518636715018641122747524291521644233591146378 \ 21859901176790037660028389832831432899097670590996223027686315569096715314736656223931 \ 38848795403328584885953767830463466707630016817038498835683349061661845613859738852134 \ 27603587984874905102613761371339797676153245430645356358443376449483800403438204439384 \ 97999747999642923717047286744973592275821382124862960329786730977712064192699696139914 \ 72611814580568512892181187433399835721051418647509430657062758455801139095565029007635 \ 61654955366276645120027000222514570745405077437252734979546811837118564070384613823416 \ 73373892312213000882840101747935749506434009093189986194415920812391819415999263220759 \ 88344370056780822915422219851064871656382428710473985632013468597037008267717153955643 \ 03077731549586343097747519834757426072073294857723485730686405890330436472056117598460 \ 965761440398702915841156471.

The equation of the curve C is y 2 = x5 + 28. The number of points on Jac(C) is

81

n

=

23426967413242059247761153665964776744834615410460936438247712371139176779262109902343 \ 74199228669946259573580828630039461086239081758575972695514513501880938293759655771000 \ 63557748135352030958817498075184361976515996532475545598013859366239488124051490416908 \ 07197701631795107093955658774342786795748251615267429157991498155496214084045191716469 \ 76970479540238108699403959831678960851175582125601082139717626477826223494860015367625 \ 51018060002193033486345228533304541181543073080060002257000118924771917522668699506852 \ 80211971443390391133709527548886526781982040577981692822714539832289447164851702844518 \ 43675394526166292951549872324453544592887310125013912081318734787687611705379403953381 \ 27191045522603846760357931345750847663744006141917559577776487260810446699143120851673 \ 67650444175441439248739417258405308071477992158269569064050918195806831131736611334068 \ 26793505413004914302505400187694284836431267557256905937124880333750425162092460939049 \ 04823630958425417016704530700021038475717172406795956478848017560677371756405280083827 \ 87070537789039367675543110155225625432813106707791816836762696392716470468386982839056 \ 39440768910521299108713033705739336945623822130494225319387819507884687628708566597708 \ 23452516277500963561146187047154220550264158094911389255264315934811555192211653883871 \ 47202380799184327442648223962981017246785201886759972836210773619439190635498840177350 \ 73259157156590091401405973221768447687160494186295805136343979195503950558230675736028 \ 87493467631705907346526136661681326539596752964487343469859379452406909751260794319284 \ 50609221863699233336318985374682067799984596582222298162876618083032232912006554059107 \ 86234846406764378119680190499456944355330181893097194548299189618101149716283202893173 \ 58807609635336499282858169888345621547048291219905664160755827821020870544135024839927 \ 35197766499406080615409150165541292039209288664492553128573355471420463912134790016237 \ 89045806297512566841579964497156228403175362962460208369693051398201036430968071092461 \ 54853557162447730706464011975932984974033845629329589249269354959681568506544793514123 \ 31092842389371579848475340984602697256929155207876918949319999183071820307875931857439 \ 79182235710850090048451467152159707810997200119677538431361879863477670186660694786125 \ 40180449212407589196775928923992491827764840704078650446001037562327609820674522122652 \ 06769176746883461365765760684425625326171954731006096130092390185607970843024674869657 \ 77145788751364904946926792070410169096691133613925296.

The ρ-value of Jac(C) with respect to r = r1 r2 is 7.98. We conclude with an example of an 8-dimensional pairing-friendly abelian variety found using our algorithms. Since CM methods are not developed in dimension 8, we started with a single CM abelian variety A in characteristic zero and applied our algorithm to different CM types until we found a prime q for which the reduction has the specified embedding degree. To speed up the search, we used a small (i.e., non-cryptographic) subgroup

82 size r. Example 4.3.10. Let K = Q(ζ17 ). We set r = 1021 and k = 10 and ran Algorithm 4.2.6 repeatedly with different CM types for K. Given the output, we tested the Jacobians of twists of y 2 = x17 + 1 for the specified number of points. We found that the curve y 2 = x17 + 30 has embedding degree 10 with respect to r over the field Fq of order q = 6869603508322434614854908535545208978038819437. The CM type producing this q was Φ = {φ1 , φ3 , φ5 , φ6 , φ8 , φ10 , φ13 , φ15 }, where φn (ζ17 ) = e2πin/17 . The number of points on Jac(C) is n

=

49596767669734690396483294297242049264137991259883991466325815369473583352878357078415 \ 33722240256546576887632756868758737467860743626339670941664308267473521789465058669390 \ 78241397009939647628736463907607851411770208766581896025805693515312873934071230292821 \ 34867798307132054329986633233201819182828117339688977152736243690105873530954449413613 \ 08898131394201910207237.

The ρ-value of Jac(C) is 121.9. Even if we could improve on the ρ-value of Example 4.3.10, abelian varieties of dimension 8 would be of limited use in cryptographic applications, as index calculus attacks can solve the discrete logarithm problem in time O(q 16/9 ) [49]. If ρ ≈ 1 then this is equivalent to O(r2/9 ), which is much faster than the best time of O(r1/2 ) in dimensions 1 and 2.

4.4

A generalized Brezing-Weng method Algorithm 4.2.6 can be viewed as a generalization to arbitrary dimension of the Cocks-

Pinch method (Theorem 2.3.1) for constructing pairing-friendly ordinary elliptic curves. In the elliptic curve case, the Brezing-Weng method (Theorem 2.5.1) generalizes the CocksPinch method by parametrizing the trace t, subgroup size r, and field size q as polynomials t(x), r(x), q(x) that produce valid curve parameters for many different inputs x. The advantage of such “families” is that the ρ-values produced are often smaller than those produced by the Cocks-Pinch method.

83 In this section, we show how the techniques of Section 4.2 can be used to view the Brezing-Weng construction from a new perspective that admits a generalization to higher dimensions. In dimension g the resulting abelian varieties have ρ-values strictly less than 2gb g , which is the best value we expect to obtain from Algorithm 4.2.6. For convenience, we reproduce the Brezing-Weng algorithm here. Algorithm 4.4.1 ([19]). Input: a positive integer k and a positive square-free integer D. Output: polynomials r(x), and q(x) such that for any x0 for which q(x0 ) is prime, √ there is an ordinary elliptic curve E over Fq(x0 ) such that End(E) ⊗ Q ∼ = Q( −D) and E has embedding degree k with respect to r(x0 ). 1. Find an irreducible polynomial r(x) ∈ Z[x] such that L = Q[x]/(r(x)) is a number √ field containing −D and the cyclotomic field Q(ζk ). 2. Choose a primitive kth root of unity ζ ∈ L. 3. Let t(x) ∈ Q[x] be a polynomial mapping to ζ + 1 in L. √ 4. Let y(x) ∈ Q[x] be a polynomial mapping to (ζ − 1)/ −D in L. 5. Set q(x) ← (t(x)2 + Dy(x)2 )/4. Return r(x) and q(x). Remark 4.4.2. In this chapter we will always use K to denote a CM field, and L to denote a field containing K and some primitive kth root of unity. This notation differs slightly from that of Chapter 2. Our new perspective on the Brezing-Weng method starts with the fact that since √ L = Q[x]/(r(x)) contains K = Q( −D), the polynomial r(x) splits into two irreducible factors when viewed as an element of K[x]. We thus have r(x) = r1 (x)r1 (x) in K[x], and ∼ K[x]/(r1 (x)) ∼ L= = K[x]/(r1 (x)). Without loss of generality, we may assume that the map implied in Steps (3) and (4) of Algorithm 4.4.1 sends x to a root of r1 (x).

√ If we compute t(x) and y(x) as in Theorem 4.4.1 and let π(x) = 21 (t(x) + y(x) −D), √ then π(x) ≡ ζ mod r1 (x). In addition, we see that π(x) = 12 (t(x) − y(x) −D) ≡ 1 mod

r1 (x), or equivalently, π(x) ≡ 1 mod r1 (x). We thus see that π(x) satisfies conditions analogous to those of Corollary 1.2.3: (π(x) − 1)(π(x) − 1) ≡ 0 mod r(x), Φk (π(x)π(x)) ≡ 0 mod r(x).

84 The expression π(x)π(x) gives the q(x) of the algorithm, so we conclude that for any x0 ∈ Q for which q(x0 ) is a prime integer, π(x0 ) ∈ K is the Frobenius endomorphism of the elliptic curve E specified in the algorithm’s description. b to Algorithm 4.2.6 fixes a prime subgroup size r and uses the type norm from K construct a Frobenius element π ∈ K that has specified residues modulo certain primes over r in OK . To apply these ideas to the Brezing-Weng construction, we extend the type norm to a multiplicative map Nφ on polynomials in K[x]. Definition 4.4.3. Let K be a CM field and Φ be a CM type of K, and let L be the normal closure of K. Define the extended type norm Nφ : K[x] → L[x] by Y NΦ (ξ) = φ(ξ), φ∈Φ

where φ(ξ) is obtained by applying φ to the coefficients of ξ. If deg K = 2g, then NΦ (ξ) is a polynomial of degree g times the degree of ξ. b b Lemma 4.4.4. Let ξ ∈ K[x], and let Φ be a CM type of K. Then NΦ (ξ) ∈ K[x], where K is the reflex field of (K, Φ). b Then by definition of Proof. Let L be the normal closure of K, and let σ ∈ Gal(L/K). Q Q the reflex type, σ permutes the elements of Φ, so σ( φ∈Φ φ(ξ)) = φ∈Φ φ(ξ). (Cf. Lemma 4.2.3.) Remark 4.4.5. In a similar manner, for any extension of number fields L/K we can extend Q the norm NL/K to polynomials f ∈ L[x] by setting NL/K (f ) = φ φ(f ), where φ ranges over the set of embeddings of L in its normal closure that fix K. An argument analogous to the proof of Lemma 4.4.4 then shows that the image of NL/K is contained in K[x]. To generalize the Brezing-Weng construction, we let K be a CM field of degree 2g b Ψ) be the reflex CM type, and let deg K b = 2b with primitive CM type Φ. Let (K, g . Let b and Q(ζk ). In the case where K = K b is a L = Q[x]/(r(x)) be a number field containing K quadratic imaginary field, the Brezing-Weng method constructs directly a polynomial π(x) parametrizing Frobenius elements by prescribing the residues of π(x) modulo each factor of r(x) in K[x]. To generalize this construction along the lines of Algorithm 4.2.6, we construct b π(x) as the extended type norm NΨ of an element ξ ∈ K[x] with prescribed residues modulo b factors of r(x) in K[x]. The following proposition is an analogue of Proposition 4.2.4 that b in a way that will be useful for our construction. allows us to index the factors of r(x) in K[x]

85 b be a CM field and Ψ be a CM type on K. b Let r(x) ∈ Q[x] be Proposition 4.4.6. Let K b Let G = Gal(L/Q) irreducible, and assume that L = Q[x]/(r(x)) is Galois and contains K. b For each ψ ∈ Ψ let ψ 0 ∈ G be a representative of the left coset of H and H = Gal(L/K). b that induces the embedding ψ on K. Fix a root γ ∈ L of r(x). For each ψ ∈ Ψ, define rψ (x) = NL/Kb (x − ψ 0−1 (γ)),

rψ (x) = NL/Kb (x − ψ 0

−1

(γ)).

b and the complete factorThen for each ψ ∈ Ψ, rψ and rψ are irreducible elements of K[x], b ization of r(x) in K[x] is given by r(x) =

Y

rψ (x)rψ (x).

(4.9)

ψ∈Ψ

b Proof. The fact that rψ and rψ are in K[x] follows from Remark 4.4.5. Since L is Galois, b any root δ ∈ L of rψ (x) is also a root of r(x), and thus L = Q(δ) = K(δ). It follows that b has degree [L : K], b which by construction is the degree the minimal polynomial of δ over K b and is thus irreducible. of rψ (x). Therefore rψ (x) is the minimal polynomial of δ over K The proof for ψ is analogous. b in L, we have Since the elements of H induce the complete set of embeddings of K rψ (x) =

Y

(x − σψ 0−1 (γ)),

rψ (x) =

σ∈H

Y

(x − σψ 0

−1

(γ)).

σ∈H

If we let Ψ0 = {ψ 0 : ψ ∈ Ψ} and Ψ0 = {ψ 0 : ψ ∈ Ψ}, then the set of roots of the right hand side of (4.9) is exactly {τ (γ) : τ ∈ H(Ψ0 ∪ Ψ0 )−1 }. Since Ψ0 ∪ Ψ0 is a complete set of left coset representatives of H in G, its inverse is a complete set of right coset representatives of H in G, and thus H(Ψ0 ∪ Ψ0 )−1 = G. We conclude that {τ (γ) : τ ∈ H(Ψ0 ∪ Ψ0 )−1 } consists of precisely the roots of r(x) in L. We now obtain an analogue of Theorem 4.2.5: b Ψ) its reflex. Let r(x) ∈ Q[x] be Theorem 4.4.7. Let (K, Φ) be a CM type and (K, an irreducible (not necessarily monic) polynomial such that L = Q[x]/(r(x)) is a Galois b and the cyclotomic field Q(ζk ). extension of Q containing K b Let γ ∈ L be a root of r(x), and write the factorization of r(x) in K[x] as in Proposition b 4.4.6. Given ξ ∈ K[x], for each ψ ∈ Ψ suppose αψ , βψ ∈ Q[x] satisfy ξ ≡ αψ mod rψ (x)

and

ξ ≡ βψ mod rψ (x).

(4.10)

86 Suppose that Y

αψ (γ) = 1

ψ∈Ψ

and

Y

βψ (γ) = ζ,

(4.11)

ψ∈Ψ

where ζ ∈ L is a primitive kth root of unity. Then π(x) = NΨ (ξ) ∈ K[x] satisfies 1. π(x)π(x) ∈ Q[x], 2. NK/Q (π(x) − 1) ≡ 0 mod r(x), and 3. Φk (π(x)π(x)) ≡ 0 mod r(x). Proof. Statement (1) follows from Remark 4.4.5 and the fact that π(x)π(x) = NK/Q ξ. b b Next, (4.10) implies that ξ − αψ = f rψ for some f ∈ K[x], so ψ 0−1 (γ) ∈ L is a root of b ξ − αψ ∈ K[x]. Applying ψ 0 to this expression and using the fact that αψ ∈ Q[x], we see that γ is a root of ψ(ξ) − αψ ∈ L[x]. It follows that (ψ(ξ))(γ) = αψ (γ), and by the Q same reasoning, (ψ(ξ))(γ) = βψ (γ). Now since π(γ) = ψ∈Ψ (ψ(ξ))(γ) by definition of the extended type norm, we conclude from (4.11) that π(γ) = 1 and π(γ) = ζ, from which statements (2) and (3) follow. If π(x) and r(x) are as in Theorem 4.4.7, then by Corollary 1.2.3 for any x0 ∈ Q for which q = π(x0 )π(x0 ) is a prime, the algebraic integer π(x0 ) ∈ OK is the Frobenius element of an abelian variety over Fq that has embedding degree k with respect to r(x0 ). We can thus view π(x) as defining a one-parameter “family” of pairing-friendly Frobenius elements. The following definition formalizes this concept, generalizing Definition 2.2.3. Definition 4.4.8. Let K be a CM field of degree 2g, let π(x) ∈ K[x], and let r(x) ∈ Q[x]. We say that (π, r) represents a family of g-dimensional abelian varieties with embedding degree k if: 1. q(x) = π(x)π(x) is in Q[x]. 2. q(x) represents primes (in the sense of Definition 2.2.1). 3. r(x) is non-constant, irreducible, and integer-valued, and has positive leading coefficient. 4. NK/Q (π(x) − 1) ≡ 0 mod r(x). 5. Φk (q(x)) ≡ 0 mod r(x), where Φk is the kth cyclotomic polynomial.

87 With our setup, we can now adapt Algorithm 4.2.6 to our new context. Algorithm 4.4.9. b Ψ); a positive integer k; a Input: a primitive CM type (K, Φ); its reflex type (K, polynomial r(x) ∈ Q[x], satisfying condition (3) of Definition 4.4.8, such that Q[x]/(r(x)) is a Galois number field containing K and the cyclotomic field Q(ζk ); and a non-empty set Σ ⊂ Q[x]. Output: a polynomial π(x) ∈ K[x] such that if q(x) = π(x)π(x) represents primes (in the sense of Definition 2.2.1), then (π, r) represents a family of abelian varieties with embedding degree k (in the sense of Definition 4.4.8). 1. Set gb ←

1 2

b and write Ψ = {ψ1 , ψ2 , . . . , ψgb}. Set L ← Q[x]/(r(x)). deg K

b as in Proposition 2. Let γ ∈ L be a root of r(x). Compute the factorization of r(x) in K[x] 4.4.6. 3. Choose a primitive kth root of unity ζ ∈ L. 4. Choose polynomials α1 , . . . , αgb−1 , β1 , . . . , βgb−1 ∈ Q[x] from Σ. 5. Compute αgb ∈ Q[x] such that Qgb i=1 βi (γ) = ζ.

Qgb

i=1 αi (γ)

= 1, and compute βgb ∈ Q[x] such that

b 6. Use the Chinese remainder theorem to compute ξ ∈ K[x] such that ξ ≡ αi mod rψi (x) and ξ ≡ βi mod rψi (x) for i = 1, 2, . . . , gb. 7. Set π(x) ← NΨ (ξ), and return π(x). We note that if K is a quadratic imaginary field, then Step (4) is empty and setting q(x) = π(x)π(x) and t(x) = π(x) + π(x) recovers the Brezing-Weng algorithm. In this case the polynomial r(x) splits into two factors in K[x] regardless of whether L is Galois, so we do not need the Galois hypothesis on L. Given the output π(x) of Algorithm 4.4.9, we can use Algorithm 2.2.4 to find an x0 for which q(x0 ) = π(x0 )π(x0 ) is prime and r(x0 ) has a large prime factor. By Proposition 2.2.5, we expect that such an x0 can be found in time that is linear in the degrees of π and r and quadratic in the desired bit size of x0 . By Lemma 4.2.1, in order for π(x0 ) to be the Frobenius element of an ordinary, simple abelian variety of dimension g, we need to confirm

88 that π(x0 ) generates K over Q and q(x0 ) is unramified in K. An analysis along the lines of Theorem 4.2.8 shows that these two conditions are satisfied with very high probability. Once the conditions are checked, we can then use the CM methods described in Section 1.2.4 to construct an explicit abelian variety A over Fq(x0 ) with embedding degree k.

4.5

Parameter selection in Algorithm 4.4.9 and examples The primary advantage of Algorithm 4.4.9 over Algorithm 4.2.6 is that the former

leads to pairing-friendly abelian varieties with smaller ρ-values than the latter. Recall that the ρ-value of a g-dimensional abelian variety over Fq with respect to a subgroup of order r is ρ = g log q/ log r. If q = q(x) and r = r(x) are parametrized as polynomials, then for large x the ρ-value approaches g deg q/ deg r. This motivates the definition of a ρ-value for a family of pairing-friendly abelian varieties. Definition 4.5.1. Suppose (π, r) represents a family of g-dimensional abelian varieties with embedding degree k, and let q(x) = π(x)π(x). The ρ-value of the family represented by (π, r), denoted ρ(π, r), is ρ(π, r) = lim

x→∞

g deg q(x) g log q(x) = . log r(x) deg r(x)

The key feature of Algorithm 4.4.9 is that the polynomial ξ constructed by the Chinese remainder theorem in Step (6) can always be chosen to have degree strictly less than deg r, and thus deg π ≤ gb(deg r − 1). We thus obtain ρ(π, r) = 2gb g

deg ξ deg r − 1 ≤ 2gb g . deg r deg r

This asymptotic ρ-value is an improvement over the ρ-values produced by Algorithm 4.2.6, which by Theorem 4.3.1 gives expected ρ-values very close to ρ ≈ 2gb g for varieties of cryptographic size. To improve the ρ-values further one would try to choose the inputs to Algorithm 4.4.9 in some clever manner so that the π produced has degree significantly less than gb deg r. These choices include the ζ of Step (3), the αi and βi of Step (4) (which are chosen from the input Σ), and the input polynomial r(x). In Section 2.5 we saw a number of methods for computing an optimal π in the case of elliptic curves, where there are only ζ and r(x) to consider. In higher dimensions we search

89 for a π(x) of low degree by following the model of Brezing and Weng described in Section 2.5.1. We let r(x) be a cyclotomic polynomial Φ` such that k | ` and L ∼ = Q(ζ` ) contains the specified CM field K. Since L is abelian, in this case the CM field K must also be abelian, b We choose the αi , βi all to be polynomials that reduce and thus equal to the reflex field K. to roots of unity (of any order) in L. Since r(x) is the `th cyclotomic polynomial, x is a primitive `th root of unity in Q[x]/(rψ (x)) for all ψ ∈ Ψ. Thus if we choose αi , βi as Pg (α1 , . . . , αg ) ∈ {(xa1 , . . . , xag ) : 0 ≤ ai < `, i=1 ai = 0} , n o P (β1 , . . . , βg ) ∈ (xb1 , . . . , xbg ) : 0 ≤ bi < `, gcd(`, gi=1 bi ) = `/k , then

Q

P

αi = x

ai

≡ 1 mod r(x), and

Q

P

βi = x

bi

(4.12) (4.13)

is a primitive kth root of unity mod

r(x).

4.5.1

Dimension 2

For given CM type (K, Φ), embedding degree k, and cyclotomic polynomial r(x) = Φ` (x), our implementation of Algorithm 4.4.9 searches through all αi , βi satisfying (4.12) and (4.13) and returns the ξ of smallest degree. We illustrate with a detailed example for g = 2 that produces ρ-values around 4, thus answering (in one case) Open Problem 4.3.2. Example 4.5.2 (g = 2, k = 5, ρ = 4). Let K = Q(ζ5 ), k = 5, and r(x) = Φ5 (x) = x4 + x3 + x2 + x + 1. We choose the CM type Φ = {φ1 , φ2 } where φ1 is the identity and φ2 : ζ5 7→ ζ53 . Then Ψ = {ψ1 , ψ2 }, where ψ1 is the identity and ψ2 : ζ5 7→ ζ52 . If we use the root γ = ζ5 to factor r(x) in K[x] as in Proposition 4.4.6, we obtain r(x) = r1 (x)r2 (x)r1 (x)r2 (x) = (x − ζ5 )(x − ζ53 )(x − ζ54 )(x − ζ52 ). We choose α1 = x,

α2 = x3 ,

β1 = x,

β2 = x4

and use the Chinese remainder theorem to compute ξ(x) = 15 (−2ζ53 − 4ζ52 − ζ5 − 3)x2 + 15 (−ζ53 − 2ζ52 + 2ζ5 + 1)x + 15 (−2ζ53 − 4ζ52 − ζ5 − 3).

90 Taking the extended type norm NΦ (ξ) gives π(x) = 51 (−ζ53 + ζ52 + ζ5 − 1)x4 + 51 (ζ53 + 2ζ5 − 3)x3 + 15 (3ζ52 + 4ζ5 − 2)x2 + 15 (ζ53 + 2ζ5 − 3)x + 15 (−ζ53 + ζ52 + ζ5 − 1),

(4.14)

and we compute q(x) = π(x)π(x) =

1 5


x8 + 2x7 + 8x6 + 9x5 + 15x4 + 9x3 + 8x2 + 2x + 1 .

Since q(x) is irreducible and q(1) = 11 and q(−4) = 11941 are distinct primes, q(x) represents primes as in Definition 2.2.1, and thus (π, r) represents a family of abelian surfaces with embedding degree 5. Let us construct an example abelian surface in this family. We input y0 = 254 to Algorithm 2.2.4. Using a = 5 and b = 1 in Step (1), the algorithm outputs h = 5 and x0 = 90071992547410826. We then compute r(x0 )

=

5 · 13164036458570178131583285920762360050673837342185838700280879526651

q(x0 )

=

8664592794128243859387924867522176371767802804679368822415066481255932972638124680359 \ 56767095752602707670039813934558567516584668847561

(449 bits).

Then r(x0 ) is 5 times a 224-bit prime r0 . The Frobenius element π(x0 ) ∈ Q(ζ5 ) can be computed from (4.14), and the number of points n is NK/Q (π(x0 ) − 1)

=

750751682880590880758711726029628178972094394801060386139877155309970053724 \ 325739795315304263728043006622715158418852616320709984510863881685818554792 \ 291764148781436936054052813749689440867929088179317241437357723407745744526 \ 071772162827435691962393142167332744537571805.

Over any field F there is a single F-isomorphism class of abelian surfaces whose ring of F-endomorphisms is isomorphic to Z[ζ5 ]. If char F is prime to 10, then this abelian surface is isomorphic (over F) to the Jacobian of C : y 2 = x5 + 1. Over F we must find the twist of C that is in the correct F-isogeny class; i.e., has a Jacobian with the correct number of Frational points. By choosing a random point P on each twist and seeing whether [n]P = O, we find that the correct curve over F = Fq(x0 ) is C : y 2 = x5 + 5. The ρ-value of Jac(C) with respect to the subgroup of order r0 is 4.02.

91

Table 4.1: Quartic CM fields K contained in cyclotomic fields Q(ζ` ) with ϕ(`) ≤ 16. K

`

Q(ζ5 ) p √ Q( −13 + 2 13) p √ Q( −2 + 2) p √ Q( −5 + 5) p √ Q( −6 + 3 2) p √ Q( −30 + 6 5)

5, 10, 15, 20, 30, 40, 60 13, 26 16, 32, 48 40 48 60

Remark 4.5.3. The abelian surface A = Jac(C) computed in Example 4.5.2 has the property that the bit size of the field Fqk in which pairings on A take their values is roughly ρk/g = 10 times the bit size of the prime-order subgroup A[r]. It follows that A is suitable for applications with security level equivalent to a 112-bit symmetric-key system (cf. Table 1.1 and Section 3.1.1). In addition, since the curve C has a degree-10 twist, we expect that twisting methods such as those developed for elliptic curves [97] can be used to increase the speed of pairing computation on the Jacobian and reduce the size of the input. We ran Algorithm 4.4.9 for all degree-4 CM fields K that are primitive (i.e., do not contain a quadratic imaginary subfield) and are contained in a cyclotomic field Q(ζ` ) with ϕ(`) ≤ 16. Such fields are necessarily Galois cyclic. These fields, and the corresponding values of `, appear in Table 4.1. We let the inputs to the algorithm range over all such K and ` and embedding degrees k dividing `. Given an η such that K = Q(η), we let Φ be the CM type that consists of embeddings φi such that φi (η) all have positive imaginary part. We tested all choices of αi , βi satisfying (4.12) and (4.13), and computed the ξ of smallest degree that produces a q(x) that represents primes in the sense of Definition 2.2.1. Some examples appear below. Example 4.5.4 (g = 2, k = 10, ρ = 6). Let K = Q(ζ5 ), k = 10, r(x) = Φ10 (x) = x4 − x3 + x2 − x + 1. Algorithm 4.2.6 outputs 1 (ζ53 − ζ52 − ζ5 + 1)x6 + π(x) = 25

1 (−6ζ53 25

+ 5ζ52 + 3ζ5 − 2)x5 + 15 (2ζ53 − ζ52 − 2)x4 + 51 (−2ζ53

− ζ5 + 4)x3 + 15 (3ζ53 − 2ζ52 − 2)x2 +

1 (−4ζ53 25

− ζ52 − ζ5 + 11)x +

1 (4ζ53 25

− 5ζ52 − 2ζ5 − 2).

The ρ-value of this family is 6. On input y0 = 240 , Algorithm 2.2.4 outputs h = 5 and

92 x0 = 5497558154509. We find that A is the Jacobian of the genus 2 curve C : y 2 = x5 + 15. Then r(x0 ) is 5 times a 168-bit prime r0 . The ρ-value of A with respect to r0 is within 10−10 of 6. Example 4.5.5 (g = 2, k = 16, ρ = 7). Let K = Q(η), where η = and r(x) = Φ16 (x) =

x8

1 (−η 2 32

1 (−8η 3 64

1 (8η 3 64

+

1 (−η 2 64

1 (η 2 64

− 3η − 2)x13 +

+ η 2 − 28η)x10 +

− 34)x8 + 81 (−η 3 − 2η + 4)x7 + +

−2 +

√

2. Let k = 16

+ 1. Algorithm 4.4.9 outputs

1 π(x) = 64 (−η 2 − 2)x14 +

+ 5)x11 +

p

+ η 2 + 28η − 16)x4 +

1 (4η 3 32

1 (−8η 3 64 1 (η 2 16

− 4η − 16)x12 +

− η 2 + 7η − 2)x9 +

− η 2 − 16η − 2)x6 +

+ 2η + 5)x3 +

1 (η 2 64

1 (−2η 3 16 1 (8η 3 64

1 (4η 3 32

+ 4η)x2 +

+ η 2 − 6η

− η 2 + 16η

− η 2 + 13η − 2)x5 1 (−η 2 32

− η − 2)x

− 2).

The ρ-value of this family is 7. The single Q-isomorphism class of genus 2 curves whose Jacobians have CM by OK is given by van Wamelen [124]. On input y0 = 218 , Algorithm 2.2.4 outputs h = 2 and x0 = 1083939. We find A to be the Jacobian of the genus 2 curve C : y 2 = x5 + 3x4 − 2x3 − 6x2 + 3x + 1. Then r(x0 ) is 2 times a 160-bit prime r0 . The ρ-value of A with respect to r0 is 6.91. Example 4.5.6 (g = 2, k = 13, ρ = 20/3). Let K = Q(η), where η =

p

√ −13 + 2 13. Let

k = 13 and let r(x) = Φ13 (x) = x12 + x11 + x10 + x9 + x8 + x7 + x6 + x5 + x4 + x3 + x2 + x + 1. Algorithm 4.4.9 outputs 1 π(x) = 4056 (−19η 3 + 183η 2 − 377η + 2301)x20 +

+ 177η 2 + 481η + 2535)x18 + + 221η + 1755)x16 + + 2496)x14 +

1 (13η 3 1352

+ 11η + 104)x11 + +

1 (5η 3 312

1 (η 3 1352

1 (5η 3 312

1 (8η 3 2028

1 (−η 3 338

+ 49η 2 + 65η + 767)x17 +

+ 97η 2 − 65η + 1183)x15 +

+ 33η 2 + 55η + 507)x10 +

+ 33η 2 + 55η + 507)x8 +

+ 923)x4 +

+ 7η 2 − 39η + 78)x19 +

+ 173η 2 + 195η + 2587)x13 +

+ 32η 2 + 13η + 429)x6 +

+

1 (7η 3 1352

1 (−2η 3 338

1 (8η 3 2028

1 (97η 3 4056

+ 3η 2 + 130η + 39)x +

1 (31η 3 2028

1 (−η 2 338

+ 192η 2 + 377η

− 2η + 39)x12 +

1 (2η 3 78

+ 9η 2 + 28η + 117)x9

+ 441η 2 + 1235η + 5811)x7 +

1 (23η 3 4056

− 13).

+ 141η 2

1 (3η 2 26

+ 165η 2 + 52η + 2535)x5 +

+ 9η 2 − 26η + 130)x3 +

1 (19η 3 2028

1 (23η 3 4056

1 (19η 3 1352

1 (η 3 52

+ 8η 2

1 (2η 3 338

+ 81η 2 + 273η

+ 99η 2 + 325η + 1521)x2

93

Table 4.2: Best ρ-values for families of abelian surfaces. k 6 8 15 20

CMpfield K √ Q(p−6 + 3 2) √ Q( −5 + 5) Q(ζ5 ) Q(ζ5 )

r(x) Φ48 (x) Φ40 (x) Φ15 (x) Φ20 (x)

ρ-value 7.5 7.5 7 6

k 30 32 40 60

CM field K Q(ζp 5) √ Q( −2 + 2) Q(ζ5 ) Q(ζ5 )

r(x) Φ60 (x) Φ32 (x) Φ40 (x) Φ60 (x)

ρ-value 7 7.5 6.5 7

The ρ-value of this family is 20/3. The single Q-isomorphism class of genus 2 curves whose Jacobians have CM by OK is given by van Wamelen [124]. On input y0 = 7 · 215 , Algorithm 2.2.4 outputs h = 13 and x0 = 3127658. We find A to be the Jacobian of the genus 2 curve C : y 2 = x5 + 104x4 + 5408x3 + 140608x2 + 1687296x + 7311616. Then r(x0 ) is 13 times a 256-bit prime r0 . The ρ-value of A with respect to r0 is 6.74. Some additional families we obtained for g = 2 are summarized in Table 4.2. The π(x) produced by Algorithm 4.4.9 and example varieties of cryptographic size can be found in Appendix A.2. We restrict to r(x) of degree at most 16 because as the degree of r(x) grows it becomes increasingly unlikely that we will find families with ρ-values significantly less than 8. For the same reason, we expect that non-Galois quartic CM fields K will not provide greatly improved ρ-values, as we must work in a field L that contains the compositum of the Galois closure of K and the cyclotomic field Q(ζk ), so if k ≥ 3 then L must have degree at least 16 over Q.

4.5.2

Dimension 3

In dimension g = 3, we applied the procedure described in Section 4.5.1 to the degree6 Galois CM field Q(ζ7 ). The family we discovered produces three-dimensional ordinary abelian varieties with ρ-values better than the best examples produced by Algorithm 4.2.6, which have ρ ≈ 18. Example 4.5.7 (g = 3, k = 7, ρ = 12). Let K = Q(ζ7 ), k = 7, and r(x) = Φ7 (x) = x6 + x5 + x4 + x3 + x2 + x + 1. Algorithm 4.4.9 outputs

94

1 π(x) = 49 (−2ζ75 − 2ζ73 − 2ζ72 + 6ζ7 )x12 +

1 (−7ζ75 49

+ 10ζ74 − 2ζ73 + ζ72 + 23ζ7 + 5)x10 + +

1 (−22ζ75 49

+ 4ζ74 − 4ζ73 + 2ζ72 + 13ζ7 − 1)x11 +

1 (−16ζ75 49

+ 9ζ74 − 13ζ73 − 2ζ72 + 45ζ7 − 2)x9

+ 6ζ74 − 19ζ73 + 3ζ72 + 39ζ7 − 7)x8 +

1 (−7ζ75 49

+ 12)x7 + 17 (−2ζ75 + ζ74 − 2ζ73 + ζ72 + 3ζ7 − 1)x6 + +

1 (−7ζ75 49

+ 3ζ74 − 10ζ73 + 5ζ72 + 8ζ7 − 6)x4 +

+

1 (−5ζ75 49

− 2ζ74 − 8ζ73 + 2ζ72 − 3ζ7 − 5)x2 +

1 (−9ζ75 49

+ 13ζ74 − 2ζ73 − 2ζ72 + 28ζ7

1 (−12ζ75 49

1 (2ζ75 49

1 (ζ 5 49 7

− 7ζ74 − 26ζ73 − 12ζ72 + 8ζ7 )x5

+ 4ζ74 + 2ζ73 − ζ72 + 5ζ7 + 9)x3

+ ζ74 − 2ζ73 − 3ζ72 + 3ζ7 )x +

1 (ζ 4 49 7

+ 2ζ73 + 2ζ72 + 2)

The ρ-value of this family is 12. The single Q-isomorphism class of genus 3 curves whose Jacobians have CM by OK is given by y 2 = x7 + 1. On input y0 = 228 , Algorithm 2.2.4 outputs h = 7 and x0 = 1879056152. We find A to be the Jacobian of the genus 3 curve C : y 2 = x7 + 16. Then r(x0 ) is 7 times a 183-bit prime r0 . The ρ-value of A with respect to r0 is 12.10. We also ran our algorithm for the degree-6 CM field Q(ζ9 ) and found families with ρvalues of 15 for k = 9 and k = 18. The π(x) output by the algorithm and example varieties of cryptographic size can be found in Appendix A.3. Abelian varieties with CM by Q(ζ9 ) are Jacobians of Picard curves of the form y 3 = x4 + ax [70]. Since these curves are not hyperelliptic, by Proposition 1.2.5 for any q-Weil number π ∈ Z[ζ9 ] there is a curve C/Fq whose Jacobian has Frobenius element either π or −π. In the second case the abelian variety over Fq with Frobenius element π is the quadratic twist of Jac(C), and is not isomorphic over Fq to a Jacobian.

Future Directions Algorithm 4.4.9 improves on the best known ρ-values of pairing-friendly ordinary abelian varieties of dimension g ≥ 2 for many different choices of CM field K and embedding degree k. However, to make ordinary abelian varieties of dimension g ≥ 2 competitive with elliptic curves in terms of performance, we must construct varieties with ρ ≤ 2, with the ultimate goal of producing ρ-values close to 1. Achieving this goal is the most important problem for further work. Our construction leaves a great deal of room for searching for better parameters. One direction would be to choose various Galois CM fields K and let L = K(ζk ). Another approach would be to fix K and L and use the approach of Kachisa, Schaefer, and Scott

95 [62] to search systematically through polynomials r(x) such that L ∼ = Q[x]/(r(x)). In the case where g ≥ 2, one could also increase the size of the input Σ, which is the set from which b we choose the residues αi , βi of ξ modulo factors of r(x) in K[x]. In practice we find that when we use elements of Σ with large coefficients, the q(x) computed have coefficients with large denominators and are thus unlikely to take integer values. However, even restricting Σ to contain only polynomials with small coefficients leaves many possible choices for αi and βi , and a program that searches systematically through these choices should have a good chance of finding improved ρ-values.

96

Chapter 5

Implementing the Genus 2 CM Method via the Chinese Remainder Theorem 5.1

Introduction In this chapter we study the genus 2 case of the complex multiplication methods

discussed in Section 1.2.4. These methods are used not only to construct the pairing-friendly abelian varieties discussed in previous chapters, but also to construct abelian varieties in any situation where a specified number of points is desired. CM methods are especially relevant in genus 2, as Schoof-like point-counting methods are currently too slow to be applicable to abelian surfaces over prime fields of 128 bits or larger [11], and thus Jacobians of random curves cannot be used for applications requiring medium to high security levels. The genus 2 CM method constructs genus 2 curves whose Jacobians have CM by the ring of integers OK of a given quartic CM field K. The central part of the procedure is computing the Igusa class polynomials for K. These polynomials are defined as follows. Definition 5.1.1. Given a genus 2 curve C over any field, let (j1 (C), j2 (C), j3 (C)) be the absolute Igusa invariants of C (see [124, p. 313] or [54, §5.2] for definitions† ). For a given primitive quartic CM field K, let CK be a set consisting of one representative from each C† We observe that Goren and Lauter’s definition of the third invariant in terms of modular forms [54, 3 −3 p. 472] is incorrect: the coefficient of ψ4 χ−4 · 32 instead of 22 · 3. 10 χ12 should be 2

97 isomorphism class of genus 2 curves C/C such that End(Jac(C)) ∼ = OK . Then for i = 1, 2, 3, the ith Igusa class polynomial for K is Hi (x) =

Y

(x − ji (C)).

C∈CK

The fact that CK is finite follows from [115, Chapter II, Proposition 17]. It follows from Definition 5.1.1 that given the Igusa class polynomials for K, we can construct genus 2 curves with CM by OK by applying Mestre’s algorithm [88] to triples of roots of the polynomials. We also note that since any CM abelian variety in characteristic zero is defined over Q [115, Chapter III, Proposition 26], the group Gal(Q/Q) permutes the set of triples (j1 (C), j2 (C), j3 (C)) and thus the Hi (x) have rational coefficients. In this chapter we study the implementation of Eisentr¨ager and Lauter’s Chinese remainder theorem algorithm for computing the Igusa class polynomials [34]. The fundamental theorem underlying the algorithm is the following: Theorem 5.1.2 ([34, Theorem 2]). Let K be a primitive quartic CM field. Let p be a rational prime that splits completely in K and splits completely into principal ideals in b the reflex field of K. For i = 1, 2, 3, let Hi,p (x) be the reduction mod p of the Igusa K, class polynomial Hi (x). Let Cp,K be a set consisting of one representative from each Fp isomorphism class of genus 2 curves C/Fp such that End(Jac(C)) ∼ = OK . Then Hi,p (x) is well-defined (i.e., p does not divide the denominator of any coefficient of Hi (x)), and Hi,p (x) =

Y

(x − ji (C)).

(5.1)

C∈Cp,K

Eisentr¨ager and Lauter used this theorem to give an algorithm that takes as input a primitive quartic CM field K and an integer λ that is a multiple of the denominators of all coefficients of the Hi (x), and produces the Igusa class polynomials of K. The basic outline of the algorithm is as follows: 1. Define S to be a set of small primes with splitting behavior as in Theorem 5.1.2, such that the product of all the primes is larger than λ times any coefficient of Hi (x). 2. For each prime p in S:

98 (a) For each triple (j1 , j2 , j3 ) ∈ F3p of Igusa invariants, construct a genus 2 curve C over Fp corresponding to that triple. (b) Find the subset of curves C from (2a) for which the endomorphism ring of Jac(C) is the full ring of integers OK . (c) Use equation (5.1) to construct the Igusa class polynomials mod p from the triples collected in Step (2b). 3. Use the bound λ on denominators and either the Chinese remainder theorem or the Explicit CRT [12] to construct the Igusa polynomials either with rational coefficients or modulo a prime of cryptographic size, respectively. It is a result of Igusa (see [22, §1]) that the set of curves computed in Step (1) consists of one curve from each Fp -isomorphism class of genus 2 curves over Fp . We note that at present there is no effective way of computing the bounds on the coefficients of Step (1), and thus we cannot prove that the output is correct. However, heuristically we expect the case where the output is incorrect to be exceedingly rare. Our main contribution is to provide an efficient probabilistic algorithm for Step (2b) of the Eisentr¨ager-Lauter CRT algorithm: determining whether the endomorphism ring of a Jacobian of a genus 2 curve over a small prime field is the ring of integers in a given quartic CM field K. Using this algorithm, we have implemented a probabilistic version of the full CRT algorithm (Algorithm 5.7.1) in MAGMA [18] and used it to compute Igusa class polynomials for several fields K with small discriminant. It was previously believed that determining endomorphism rings would be the bottleneck in the genus 2 CRT algorithm. Our results are surprising in the sense that we find that the time taken to determine the endomorphism rings using our probabilistic algorithms is negligible compared with the time needed to compute p3 genus 2 curves via Mestre’s algop √ rithm for each small prime p. For example, for K = Q(i 13 + 2 13) and p = 157, the largest prime for which endomorphism rings are computed for this K, our (unoptimized) MAGMA program takes about 52 minutes to loop through 1573 curves and find 243 curves whose Jacobians have Frobenius element in OK . Our probabilistic algorithm (also implemented in MAGMA) applied to these 243 curves then takes 16.5 seconds to find the single curve whose Jacobian has endomorphism ring isomorphic to OK . In Step (2) of the Eisentr¨ager-Lauter algorithm we have fixed a small prime p and a CM field K. We compute a representative of each Fp -isomorphism class of genus 2 curves

99 over Fp , and we wish to determine which of these p3 curves have End(Jac(C)) isomorphic to OK . At a high level, our algorithm that determines endomorphism rings works as follows. Let C be a genus 2 curve over a finite field Fp , and let J be its Jacobian; we assume J is ordinary. Let K be a primitive quartic CM field. The first test is whether End(J), the endomorphism ring of J, is some order in OK . This computation is outlined in [34, Section 5] and described in more detail in Section 5.2 below. If End(J) is an order in OK , we compute a set of possible elements π ∈ OK that could represent the Frobenius endomorphism of J. If π represents the Frobenius endomorphism, then its complex conjugate π represents the Verschiebung endomorphism (i.e., the dual of the Frobenius endomorphism). We next determine a set {αi } of elements of OK such that Z[π, π, {αi }] = OK . It follows that End(J) = OK if and only if each αi is an endomorphism of J. In Section 5.3 we describe such a set {αi } in which each element has one of two forms: either αi = for some positive integer k and prime `, or αi =

hi (π) `d

π k −1 `

for some cubic polynomial hi with

integer coefficients and some prime power `d . In Section 5.4 we show how to determine whether an element of the first form is an endomorphism; this is equivalent to determining the field of definition of the `-torsion points of J. In Section 5.5 we show how to determine whether an element of the second form is an endomorphism; this is equivalent to computing the action of Frobenius on a basis of J[`d ]. The main results are Algorithms 5.4.3 and 5.5.1, two very efficient probabilistic algorithms which check fields of definition and compute the action of Frobenius, respectively. The running times of these algorithms depend primarily on the sizes of the fields over which the points of J[`d ] are defined. Section 5.6 provides upper bounds for these sizes in terms of the prime ` and the size of the base field p. A detailed statement of the Eisentr¨ager-Lauter CRT algorithm, incorporating the algorithms of Sections 5.2, 5.4, and 5.5, appears in Section 5.7. Section 5.8 describes various ways in which we have modified our MAGMA implementation to improve the algorithm’s performance. Finally, in Section 5.9 we give examples of our algorithm run on several small quartic CM fields. The material in this chapter is joint work with Kristin Lauter of Microsoft Research (USA) and has also appeared in [40].

100

5.2

Computing zeta functions and the Frobenius element To execute the Eisentr¨ager-Lauter CRT algorithm, we fix a primitive quartic CM field

K and choose various small primes p. We compute a representative of each Fp -isomorphism class of genus 2 curves over Fp , and we wish to determine which of these p3 curves have End(Jac(C)) isomorphic to OK . To make this determination, the first step is to determine whether the endomorphism ring is even an order in OK . Our hypotheses on p (see Theorem 5.1.2) imply that this can be accomplished by computing the characteristic polynomial of Frobenius, to see if the Frobenius element corresponds to an algebraic integer π ∈ K. This in turn is equivalent to determining the zeta function of C, which can be computed by finding the number of points on the curve and its Jacobian, n = #C(Fp ) and m = #J(Fp ). For a given field K there are several possibilities for the pairs (n, m), as described in [34, Proposition 4]. In this section we give an explicit algorithm that determines whether End(J) is an order in OK and if so, gives a set S ⊂ OK of possibilities for the Frobenius endomorphism of J. The main point is to find the possible Frobenius elements by finding generators of √ certain principal ideals (Step (2) below) with absolute value equal to p (Step (4a) below). We will assume throughout that J is ordinary. Recall that a number field K is a CM field if it is an imaginary quadratic extension of a totally real field. We denote by K0 the real quadratic subfield of K. A CM field is primitive if it has no proper CM subfields. We will assume unless otherwise noted that K is a primitive quartic CM field not isomorphic to Q(ζ5 ). This implies that K is either Galois b the cyclic or non-Galois, and that the only roots of unity in K are ±1. We denote by K reflex field of K (see page 70 for a definition, and observe that the reflex field is the same b = K; if K is non-Galois, then K b for all CM types Φ on K). If K is Galois cyclic, then K is another primitive quartic CM field [115, p. 64]. Algorithm 5.2.1. Let K be a primitive quartic CM field not isomorphic to Q(ζ5 ) and let b be the reflex field of K. The following algorithm takes as input the field K, a prime p K b and a curve C that splits completely in K and splits completely into principal ideals in K, defined over the finite field Fp . The algorithm returns true or false according to whether End(J) is an order in OK , where J = Jac(C). If the answer is true, the algorithm also outputs a set S ⊂ OK that consists of the Aut(K/Q)-orbit of the Frobenius endomorphism of J.

101 1. Compute the decomposition p = p1 p2 p3 p4 in OK , using e.g. [26, Algorithm 6.2.9]. Renumber so that p2 = p1 and p3 = p4 . 2. Compute generators α1 and α2 for the principal ideals p1 p3 and p2 p3 , respectively, using e.g. [26, Algorithm 6.5.10]. 3. Compute a fundamental unit u of K0 with |u| > 1, using e.g. [26, Algorithm 5.7.1]. 4. For i ← 1, 2, do the following: √ √ √ (a) If |αi | < p, set αi ← αi u until |αi | = p. If |αi | > p, set αi ← αi u−1 until √ |αi | = p. (b) Compute the characteristic polynomial hi (x) of αi over Q, using e.g. [26, Proposition 4.3.4]. (c) If K is Galois and h1 (x) = h2 (−x), set α2 ← −α2 and h2 (x) ← h2 (−x). (d) Set (ni,+1 , mi,+1 ) ← (p + 1 −

h0i (0) p , hi (1)).

(e) Set (ni,−1 , mi,−1 ) ← (p + 1 +

h0i (0) p , hi (−1)).

5. Determine whether the Frobenius endomorphism of J has characteristic polynomial equal to hi (±x) for some i: (a) Choose a random point P ∈ J(Fp ) and compute Qj,τ = [mi,τ ]P for i ∈ {1, 2}, τ ∈ {±1}. If none of Qi,τ is the identity, return false. Otherwise, optionally repeat with another random point P . (b) If J passes a certain fixed number of trials of Step (5a), compute #C(Fp ). If #C(Fp ) 6= ni,τ for all i ∈ {1, 2}, τ ∈ {±1}, return false. (c) If #C(Fp ) = ni,τ , compute #J(Fp ), using e.g. Baby-Step Giant-Step [26, Algorithm 5.4.1]. If #J 6= mi,τ for the same i, τ , return false. 6. If K is Galois, output S = {τ α1 , τ α1 , τ α2 , τ α2 }. If K is not Galois, output S = {τ αi , τ αi }, using the i determined in Step (5c). 7. Return true. Proof. The proof of [34, Proposition 4] shows that the ideals p1 p3 and p2 p3 are principal and the Frobenius endomorphism of J corresponds to a generator of one of these ideals or their

102 complex conjugates. Furthermore, this generator must have complex absolute value

√

p.

The generators determined in Step (2) are unique up to unit multiple, so Step (4a) ensures √ that the absolute values are p, thus making each αi unique up to complex conjugation and sign. (Here we use the fact that the only roots of unity in K are ±1.) If the Frobenius element corresponds to αi or αi , then hi (x) is the characteristic polynomial of Frobenius, so we can determine this case by checking whether #C(Fp ) = ni,+1 and #J(Fp ) = mi,+1 . Similarly, if the Frobenius element corresponds to −αi or −αi , then hi (−x) is the characteristic polynomial of Frobenius, so we can determine this case by checking whether #C(Fp ) = ni,−1 and #J(Fp ) = mi,−1 . If K is Galois (with Galois group C4 ), then the ideal (α2 ) is equal to (α1 )σ for some σ generating the Galois group. Since complex absolute value squared is the same as the √ √ norm from K to its real quadratic subfield K0 , |α1 | = p implies that |α1σ | = p. Since √ α1σ and α2 both generate (α2 ) and have absolute value p, we deduce that α1σ = ±α2 or ±α2 . Step (4c) ensures that this sign is positive, so α1 and α2 have the same characteristic polynomial hi (x), and thus the Frobenius element could be any of the elements output by Step (6). Since Aut(K/Q) is generated by σ and σ 2 is complex conjugation, we have output the Aut(K/Q)-orbit of the Frobenius element. If K is not Galois, then the Frobenius element must be either αi or αi . Since Aut(K/Q) in this case consists of only the identity and complex conjugation, Step (6) outputs the Aut(K/Q)-orbit of the Frobenius element.

5.3

Constructing a generating set for OK Given the Jacobian J of a genus 2 curve over Fp and a primitive quartic CM field K,

Algorithm 5.2.1 allows us to determine whether there is some π ∈ OK that represents the Frobenius endomorphism of J. Since the complex conjugate π represents the Verschiebung endomorphism, if Algorithm 5.2.1 outputs true then we have Z[π, π] ⊆ End(J) ⊆ OK .

(5.2)

From this point on we assume we are given an ordinary Jacobian J/Fp and its Frobenius element π ∈ OK . Then we know that (5.2) holds, and we wish to determine whether End(J) = OK . Let B be a Z-module basis for OK , and consider the collection of elements {α ∈ B \ Z}.

103 Since this collection generates OK over Z[π, π], it suffices to determine whether or not each element of the collection is an endomorphism of J. Assuming K satisfies some mild hypotheses, Eisentr¨ager and Lauter give one example of a basis B that suffices to determine the endomorphism ring [34, Lemma 6]. However, the method given in [34] lacks an efficient procedure for testing whether a given α ∈ B is an endomorphism of J. In this section, we derive from an arbitrary basis B a set of generators for OK over Z[π, π] that are convenient in the sense that there is an efficient probabilistic algorithm (Algorithm 5.4.3 or Algorithm 5.5.1) for determining whether an element of the set is an endomorphism of J. Our findings are summarized in Proposition 5.3.7. We begin by observing that since K = Q(π), any α ∈ OK can be expressed as a polynomial f ∈ Q[π]. Since π satisfies a polynomial of degree 4 (the characteristic polynomial of Frobenius), f can be taken to have degree 3. Using linear algebra, we may thus write α=

a0 + a1 π + a2 π 2 + a3 π 3 n

(5.3)

for some integers a0 , a1 , a2 , a3 , n. We assume that a0 , a1 , a2 , a3 have no common factor with n, so that n is the smallest positive integer such that nα ∈ Z[π]. The following lemma shows that each α ∈ B \ Z can be replaced with a collection of elements that generate the same ring, each with a power of a single prime in the denominator of the expression (5.3). Lemma 5.3.1. Let A ⊂ B be commutative rings with 1, with [B : A] finite. Suppose α ∈ B, and let n be the smallest positive integer such that nα ∈ A. Suppose n factors into primes as `1d1 · · · `dr r . Then A[α] = A

h

n n d α, . . . , dr α `r `1 1

i

.

Proof. Clearly the ring on the right is contained in the ring on the left, so we must show that α is contained in the ring on the right. Since the set of integers

n n d , . . . , dr `r `1 1

has greatest

common divisor 1, there exist integers ci such that c1

n `d11

+ · · · + cr

n `dr r

= 1.

(5.4)

Multiplying this identity by α gives the desired result. The next lemma shows that only primes dividing the index [OK : Z[π]] appear in the denominators.

104 Lemma 5.3.2. Let α be an element of OK , and suppose n is the smallest positive integer such that nα ∈ Z[π]. Then n divides the index [OK : Z[π]]. Proof. Let N = [OK : Z[π]]. By definition, N is the size of the abelian group OK /Z[π]. Thus we can write any α ∈ OK as α = a + b with b ∈ Z[π] and N · a ∈ Z[π]. This shows that OK is contained in

1 N Z[π].

We may thus write α = f (π)/N for a unique polynomial

f with integer coefficients and degree at most 3. Furthermore, since nα is the smallest positive multiple of α in Z[π], we may write α = g(π)/n for a unique polynomial g with integer coefficients and degree at most 3, such that n has no factor in common with all the coefficients of g. We thus have n · f (π) = N · g(π). If we let d be the gcd of the coefficients of f and e be the gcd of the coefficients of g, then we have n · d = N · e. Since gcd(n, e) = 1, we conclude that n divides N . We now know that each α ∈ B \ Z can be replaced with a collection of elements {

n d α}, `i i

and the only `i appearing are divisors of the index [OK : Z[π]]. The following lemma and corollary show that for any ` which divides [OK : Z[π]] exactly (i.e., ` | [OK : Z[π]] and `2 - [OK : Z[π]]), the element

n `α

can be replaced by an element of the form

π k −1 ` .

This

replacement is useful since by [34, Fact 10], determining whether an element of the form π k −1 `

is an endomorphism is equivalent to testing the field of definition of the `-torsion.

Lemma 5.3.3. Let A ⊂ B ⊂ C be abelian groups, with [C : A] finite. Let ` be a prime, and suppose ` divides [C : A] exactly. Suppose there is some β ∈ B such that β 6∈ A and `β ∈ A. Then for any α ∈ C such that `α ∈ A, α ∈ B. Proof. The hypotheses on [C : A] imply that the `-primary part of C/A (denoted (C/A)` ) is isomorphic to Z/`Z, so (B/A)` is either trivial or Z/`Z. The conditions on β imply that β has order ` in B/A, so (B/A)` ∼ = Z/`Z ∼ = (C/A)` , with the isomorphism induced by the inclusion map B ,→ C. Since α is in the `-primary part of C/A, α must also be in the `-primary part of B/A, so α ∈ B. Corollary 5.3.4. Let k be a positive integer. Suppose ` divides [OK : Z[π]] exactly and β=

π k −1 `

6∈ Z[π]. Then

π k −1 `

is an endomorphism of J if and only if every α ∈ OK \ Z[π]

with `α ∈ Z[π] is also an endomorphism. Proof. The result follows directly from Lemma 5.3.3, with A = Z[π], B = End(J), and C = OK .

105 Furthermore, if p = ππ does not divide [OK : Z[π, π]], then any element αi with denominator `i = p may be ignored due to the following corollary. Corollary 5.3.5. Let π ∈ OK correspond to the Frobenius endomorphism of an ordinary abelian surface over Fp , and suppose p - [OK : Z[π, π]]. Then for any α ∈ OK such that pα ∈ Z[π], α ∈ Z[π, π]. Proof. Since π is a Frobenius element, it satisfies a characteristic polynomial of the form π 4 + s1 π 3 + s2 π 2 + s1 pπ + p2 = 0. Using ππ = p and dividing this equation by π gives π 3 + s1 π 2 + s2 π + s1 p + pπ = 0.

(5.5)

From this equation we see that pπ ∈ Z[π], so either [Z[π, π] : Z[π]] = p or π ∈ Z[π]. If π ∈ Z[π] then p divides the coefficients of all the terms on the left hand side of (5.5), which it does not, so we deduce that π 6∈ Z[π] and [Z[π, π] : Z[π]] = p. The hypothesis p - [OK : Z[π, π]] now implies that p divides [OK : Z[π]] exactly, so we may apply Lemma 5.3.3 with ` = p, A = Z[π], B = Z[π, π], C = OK , and β = π. Thus any α satisfying the conditions of the corollary is automatically an endomorphism. We now show that if p > 3, then the condition p - [OK : Z[π, π]] is automatically satisfied. Proposition 5.3.6. Suppose p > 3 and that π ∈ OK corresponds to the Frobenius endomorphism of an ordinary abelian surface A over Fp . Then p - [OK : Z[π, π]]. Proof. Let ∆(R) denote the discriminant of a Z-module R.

Christophe Ritzenthaler

pointed out to us that this proposition follows from [59, Proposition 9.4], which shows that ∆(Z[π, π]) = ± NormK/Q (π − π) ∆(Z[π + π]). Alternatively, it is shown in [76, Proposition 7.4] that any prime that divides the index [OK : Z[π, π]] must divide either [OK0 : Z[π + π]] or

∆(OK0 [π]) ∆(OK ) ,

and, using [59, Theorem

1.3], that the second quantity is prime to p if the abelian surface is ordinary. The same proposition also shows that ∆(Z[π + π]) < 16p, and since ∆(Z[π + π]) = [OK0 : Z[π + π]]2 , ∆(OK0 )

106 we conclude that if p divides [OK : Z[π, π]] then p2 divides [OK0 : Z[π + π]]2 , and thus p2 ≤

∆(Z[π + π]) 16p < ∆(OK0 ) 5

(since a real quadratic field has discriminant at least 5), which implies p ≤ 3. The following proposition summarizes the results of this section. Proposition 5.3.7. Suppose {αi } generates OK as a Z-algebra. Let ni be the smallest positive integer such that ni αi ∈ Z[π], and write the prime factorization of ni as ni = Q dij kij −1 ∈ ` O . ij K j `ij . For each (i, j) with `ij 6= p, let kij be the smallest integer such that π Suppose p > 3. Then the following set generates OK over Z[π, π]: ( ) [ π kij − 1 ni 2 α : `ij | [OK : Z[π]] or ∈ Z[π] dij i `ij `ij   kij π kij − 1 π −1 2 : `ij - [OK : Z[π]], `ij 6= p, and 6∈ Z[π] . `ij `ij The test of whether

π kij −1 `ij

is in Z[π] is required to apply Corollary 5.3.4. In practice

we find that this condition always holds, even for small primes `ij , and thus the second set in the union has one element for each `ij dividing [OK : Z[π]] exactly. Remark 5.3.8. Proposition 5.3.7 shows that if p > 3 and the index [OK : Z[π, π]] is squarefree, then OK can be generated over Z[π, π] by a collection of elements of the form

π k −1 ` .

This answers a question raised by Eisentr¨ager and Lauter [34, Remark 5]. In our application, π ∈ OK is only determined up to an automorphism of K, but Proposition 5.3.7 can still be used to determine a generating set for OK . Corollary 5.3.9. Let S ⊂ OK be the set given in Proposition 5.3.7. Let σ be an element of Aut(K/Q). Then the set {β σ : β ∈ S} generates OK over Z[π σ , π σ ]. Proof. By Proposition 5.3.7, the set {π, π} ∪ S generates OK as a Z-algebra. Since OK is mapped to itself by Aut(K/Q), the set {π σ , π σ } ∪ {β σ : β ∈ S} also generates OK as a Z-algebra. The statement follows immediately.

107

5.4

Determining fields of definition In this section, we consider the problem of determining the field of definition of the

n-torsion points of the Jacobian J of a genus 2 curve over Fp . By [34, Fact 10], the n-torsion points of J are defined over Fpk if and only if (π k −1)/n is an endomorphism of J, where π is the Frobenius endomorphism of J. Thus determining the field of definition of the `-torsion points allows us to determine whether some of the elements given by Proposition 5.3.7 are endomorphisms. Algorithm 5.4.1. The following algorithm takes as input a primitive quartic CM field K, an element π ∈ OK with ππ = p, and an integer n with gcd(n, p) = 1, and outputs the smallest integer k such that π k − 1 ∈ nOK . If J is the Jacobian of a genus 2 curve over Fp with Frobenius π σ for some σ ∈ Aut(K/Q) and End(J) = OK , this integer k is such that the n-torsion points of J are defined over Fpk . 1. Compute a Z-basis B = (1, δ, γ, κ) of OK , using [120] or [26, Algorithm 6.1.8], and write π = (a, b, c, d) in this basis. Set k ← 1. 2. Let B¯ be the reduction of the elements of B modulo n. Let (a1 , b1 , c1 , d1 ) = (a, b, c, d) (mod n). ¯ 3. Compute π k ≡ (ak , bk , ck , dk ) (mod n) with respect to B. 4. If (ak , bk , ck , dk ) ≡ (1, 0, 0, 0) (mod n), output k. Otherwise set k ← k + 1 and go to Step (3). Proof. The set B¯ is a Z/nZ-basis of OK /nOK , so if π k ≡ (1, 0, 0, 0) (mod n), then π k −1 ∈ nOK (since the first element of B¯ is 1). Since nOK is mapped to itself by Aut(K/Q), we have (π σ )k − 1 ∈ nOK . If End(J) = OK , then

(π σ )k −1 n

∈ OK = End(J), so by [34, Fact 10],

J[n] ⊂ J(Fpk ). Remark 5.4.2. Since J[n] =

L

J[`d ] for prime powers `d dividing n, we may speed up

Algorithm 5.4.1 by factoring n and computing k(`d ) for each prime power factor `d ; then k(n) = lcm(k(`d )). Furthermore, we will see in Propositions 5.6.2 and 5.6.3 below that for a fixed `d , the possible values of k are very limited. Thus we may speed up the algorithm even further by precomputing these possible values and testing each one, rather than increasing the value of k by 1 until the correct value is found.

108 Eisentr¨ager and Lauter [34] computed endomorphism rings in several examples by determining the group structure of J(Fpk ) to decide whether J[n] ⊂ J(Fpk ). This is an exponential-time algorithm that is efficient only for very small k. Eisentr¨ager and Lauter also suggested that the algorithm of Gaudry and Harley [50] could be used to determine the field of definition of the n-torsion points. One of the primary purposes of this chapter is to present an efficient probabilistic algorithm to test the field of definition of J[n]. Below we describe the various methods of testing the field of definition of the n-torsion of J. Since L J[n] = J[`d ] as `d ranges over maximal prime-power divisors of n, it suffices to consider each prime-power factor separately. We thus assume in what follows that n = `d is a prime power.

5.4.1

The brute force method

The simplest method of determining the field of definition of the n-torsion is to compute the abelian group structure of J(Fpk ). The MAGMA syntax for this computation is straightforward, and the program returns a group structure of the form Z Z × ··· × , J(Fpk ) ∼ = a1 Z aj Z with j ≤ 4 and a1 | · · · | aj . The n-torsion of J is contained in J(Fpk ) if and only if j = 4 and n divides a1 . While this method is easy to implement, if k is too large it may take too long to compute the group structure (via Baby-Step Giant-Step or similar algorithms), or even worse we may not even be able to factor # Jac(C)(Fpk ). In practice, computing group structure in MAGMA seems to be feasible for group sizes up to roughly 2200 , which means pk should be no more than roughly 2100 , and thus k will have to be very small. Thus the brute force method is very limited in scope; however, it has the advantage that in the small cases it can handle it runs fairly quickly and always outputs the right answer.

5.4.2

The Gaudry-Harley-Schost method

Gaudry and Harley [50] define a Schoof-Pila-like algorithm for counting points on genus 2 curves. The curves input to this algorithm are assumed to have a degree 5 model over Fp , so we can write elements of the Jacobian as pairs of affine points minus twice the Weierstrass point at infinity. An intermediate step in the algorithm is to construct a

109 polynomial R(x) ∈ Fp [x] with the following property: if P1 and P2 are points on C such that D = [P1 ] + [P2 ] − 2[∞] is an n-torsion point of J, then the x-coordinates of P1 and P2 are roots of R. The field of definition of the x-coordinates is at most a degree-two extension of the field of definition of D. Thus in many cases the field of definition of the n-torsion points can be determined from the factorization of R(x). Gaudry has implemented the algorithm in MAGMA [18] and NTL [116]; the algorithm involves taking two resultants of pairs of two-variable polynomials of degree roughly n2 . The algorithm uses the clever trick of computing a two-variable resultant by computing many single-variable resultants and interpolating the result. The interpolation only works if the field of definition of J has at least 4n2 − 8n + 4 elements, so we must base-extend J until the field of definition is large enough. Since R(x) has coefficients in Fp , this base extension has no effect on the result of the computation. ˜ 6 ) field Gaudry and Harley’s analysis of the algorithm gives a running time of O(n multiplications if fast polynomial arithmetic is used, and O(n8 ) otherwise. Due to its large space requirements, the algorithm has only succeeded at handling inputs of size n ≤ 19 [52].

5.4.3

A probabilistic method

As usual, we let J be the Jacobian of a genus 2 curve over Fp , and ` 6= p be a prime. Let H be the `-primary part of J(Fpk ). Then H has the structure H∼ =

Z `α1 Z

×

Z `α2 Z

×

Z `α3 Z

×

Z `α4 Z

,

with α1 ≤ α2 ≤ α3 ≤ α4 . Our test rests on the following observations: • If the `d -torsion points of J are defined over Fpk , then α1 ≥ d, and the number of `d -torsion points in H is `4d . • If the `d -torsion points of J are not defined over Fpk , then α1 < d, and the number of `d -torsion points in H is at most `4d−1 . We thus make the following calculation: write #J(Fpk ) = `s m with ` - m. Choose a random point P ∈ J. Then [m]P ∈ H, and we test whether [`d m]P = O in J. If the `d -torsion points of J are defined over Fpk , then [`d m]P = O with probability ρ = `4d−s , while if the `d -torsion points of J are not defined over Fpk then [`d m]P = O with probability at most ρ/`. If we perform the test enough times, we can determine which probability distribution

110 we are observing and thus conclude, with a high degree of certainty, whether the `d -torsion points are defined over Fpk . This method is very effective in practice, and can be implemented for large k: while computing the group structure of J(Fpk ) for large k may be infeasible, it is much easier to compute points on J(Fpk ) and to do arithmetic on those points. We now give a formal description of the algorithm and determine its probability of success. Algorithm 5.4.3. The following algorithm takes as input the Jacobian J of a genus 2 curve defined over a finite field Fq , a prime power `d with gcd(`, q) = 1, and a real number  ∈ (0, 1). If J[`d ] ⊂ J(Fq ), then the algorithm outputs true with probability at least 1 − . If J[`d ] 6⊂ J(Fq ), then the algorithm outputs false with probability at least 1 − . 1. Compute #J(Fq ) = `s m, where ` - m. If s < 4d output false. 2. Set ρ ← `4d−s , N ← d

√

−2 log  2` ( `−1 )e, ρ

B ← ρN

`+1 2`




.

3. Repeat N times: (a) Choose a random point Pi ∈ J(Fq ). (b) Compute Qi ← [`d m]Pi 4. If at least B of the Qi are the identity element O of J, output true; otherwise output false. Proof. As observed above, if J[`d ] ⊂ J(Fq ), then Qi = O with probability ρ, while if J[`d ] 6⊂ J(Fq ), then Qi = O with probability at most ρ/`. Thus all we have to do is compute enough Qi to distinguish the two probability distributions. To figure out how many “enough” is, we use the Chernoff bound [106, Chapter 8, Proposition 5.3]. The version of the bound we use is as follows: If N weighted coins are flipped and µ is the expected number of heads, then for any δ ∈ (0, 1] we have Pr[#heads < (1 − δ)µ] < e−µ

2 δ 2 /2

Pr[#heads > (1 + δ)µ] < e−µ

2 δ 2 /2

(5.6) .

In our case we are given two different probability distributions for the coin flip and wish to tell them apart. If the `d -torsion points of J are defined over Fq , then the probability that Qi = O is ρ = `4d /`s . Thus the expected number of Qi equal to O is µ1 = ρN . If

111 the `d -torsion points are not defined over Fq , then the expected number of Qi equal to O is at most µ2 = ρN/`. Thus if we set B = ρN ( `+1 2` ) to be the midpoint of [µ2 , µ1 ], we will deduce that J[`d ] ⊂ J(Fq ) if the number of Qi equal to O is at least B, and J[`d ] 6⊂ J(Fq ) otherwise. We thus wish to find an N such that this deduction is correct with probability at least 1 − , i.e., an N such that Pr[#{Qi : Qi = O} < B] <  if J[`d ] ⊂ J(Fq ), Pr[#{Qi : Qi = O} > B] <  if J[`d ] 6⊂ J(Fq ). Substituting our choice of B into the Chernoff bound (5.6) gives 2 `−1 )2 4`

if J[`d ] ⊂ J(Fq ),

2 `−1 )2 4

if J[`d ] 6⊂ J(Fq ).

Pr[#{Qi : Qi = O} < B] < e−2µ1 ( Pr[#{Qi : Qi = O} > B] < e−2µ2 (

2 2 `−1 2 From these equations, we see that we wish to have 2µ21 ( `−1 4` ) > − log  and 2µ2 ( 4 ) >

− log . The two left sides are equal since µ2 = µ1 /`. We thus substitute µ1 = ρN into the 2 relation 2µ21 ( `−1 4` ) > − log , and find that √   2` −2 log  . N> ρ `−1

Thus this value of N suffices to give the desired success probabilities. Remark 5.4.4. If s = 4d the algorithm can be simplified considerably. In this case, if J[`d ] ⊂ J(Fq ) then the `-primary part H of J(Fq ) is isomorphic to (Z/`d Z)4 , and if not then it contains a point of order greater than `d . Thus if J[`d ] ⊂ J(F ) then Qi will always be the identity, and the algorithm will always return true. On the other hand, if J[`d ] 6⊂ J(Fq ), we may abort the algorithm and return false as soon as we find a point Qi 6= O, for in this case we have found a point in H of too large order, and thus the `d -torsion points are not defined over Fq . If J[`d ] 6⊂ J(Fq ), then the probability that a random point in H has order log  ≤ `d is at most 1/`, so we must conduct at least N = d −log ` e trials to ensure a success

probability of at least 1 − . Thus in this case the method may require many fewer trials. Remark 5.4.5. Note that while #J(Fq ) may be very large, in our application where J is defined over a small prime field it is easy to compute #J(Fq ) from the zeta function of the curve of which J is the Jacobian. Furthermore, while it is probably impossible to factor #J(Fq ) completely in a reasonable amount of time, it is easy to determine the highest power of ` that divides #J(Fq ).

112 Proposition 5.4.6. Let J be the Jacobian of a genus 2 curve over Fp . Assume that the zeta function of J/Fp is known, so that the cost to compute #J(Fpk ) = `s m is negligible. Then the expected number of operations in Fp necessary to execute Algorithm 5.4.3 on inputs J/Fpk , `d , and  (ignoring log log p factors) is O(k 2 log k(log2 p)`s−4d (− log )1/2 ). Proof. We must compare the cost of the two actions of Step (3), repeated N times. Choosing a random point on J(Fq ) is equivalent to computing a constant number of square roots in Fq , and taking a square root requires O(log q) field operations in Fq (see [127, Algorithm 14.15 and Corollary 14.16]). The order of J(Fq ) is roughly q 2 , so multiplying a point on J(Fq ) by an integer using a binary expansion takes O(log q) point additions on J(Fq ). Each point addition takes a constant number of field operations in Fq , so we see that the each trial requires O(log q) = O(k log p) field operations in Fq . If fast multiplication techniques are used, then the number of field operations in Fp needed to perform one field operation in Fq (ignoring log log p factors) is O(log q log log q) = O(k log k log p), so each trial takes O(k 2 log k log2 p) field operations in Fp . The number of trials is p O(`s−4d − log ), which gives a total of O(k 2 log k(log2 p)`s−4d (− log )1/2 ) field operations in Fp .

5.5

Computing the action of Frobenius As in the previous section, we consider a genus 2 curve C over Fp with Jacobian J,

and assume that the endomorphism ring of J is an order in the ring of integers OK of a primitive quartic CM field K. We let π represent the Frobenius endomorphism, and we look at elements α ∈ OK such that `d α ∈ Z[π] for some prime power `d . We wish to devise a test that, given such an α, determines whether α is an endomorphism of J. Since π satisfies a quartic polynomial with integer coefficients, we can write α as α=

a0 + a1 π + a2 π 2 + a3 π 3 `d

(5.7)

113 for some integers a0 , a1 , a2 , a3 . Expressing α in this form is useful because of the following fact proved by Eisentr¨ager and Lauter [34, Corollary 9]: α is an endomorphism if and only if T = a0 + a1 π + a2 π 2 + a3 π 3 acts as zero on the `d -torsion. Thus we need a method for determining whether T acts as zero on the `d -torsion. Since T is a linear operator, it suffices to check whether T (Qi ) is zero for each Qi in some set whose points span the full `d -torsion. Below we describe three different ways to compute such a spanning set.

5.5.1

The brute force method

The most straightforward way to compute a spanning set for the `d -torsion is to use group structure algorithms to compute a basis of J[`d ]. This method was used in [34] to compute the class polynomials in one example. The methods of Section 5.4 determine a k for which J[`d ] ⊂ J(Fpk ). The computation of the group structure of J(Fpk ) gives generators for the group; multiplying these generators by appropriate integers gives generators for the `d -torsion. It is then straightforward to compute the action of T on each generator gi for 1 ≤ i ≤ 4. If T (gi ) = O for all i, then α is an endomorphism; otherwise α is not an endomorphism. This method of computing a spanning set has the same drawback as the brute-force method of computing fields of definition: since the best algorithm for computing group structure runs in time exponential in k log p, the method becomes prohibitively slow as k increases. Thus the method is only effective when `d is very small.

5.5.2

A probabilistic method

The method of Section 5.5.1 for computing generators of J[`d ] becomes prohibitively slow as the field of definition of the `d -torsion points becomes large. However, we can get around this obstacle by randomly choosing many points Qi of exact order `d , so that it is highly probable that the set {Qi } spans J[`d ]. Recall that we wish to test whether the operator T = a0 + a1 π + a2 π 2 + a3 π 3 acts as zero on the `d -torsion. To perform the test, we determine the field Fpk over which we expect the `d -torsion to be defined. (See Section 5.4.) We pick a random point P ∈ J(Fpk ) and multiply P by an appropriate integer to get a point Q whose order is a power of `. If Q has order `d , we act on Q by the operator T and test whether we get the identity of J; otherwise we try again with a new P . (See Section 5.5.3 for another method of randomly choosing

114 `d -torsion points.) We repeat the test until it is overwhelmingly likely that the points Q span the `d -torsion. If the set of Q spans the `d -torsion, then α is an endomorphism if and only if T acts as zero on all the Q. Algorithm 5.5.1. The following algorithm takes as input the Jacobian J of a genus 2 curve over Fp with CM by K; a prime power q = pk ; a prime power `d with ` 6= p; an element α ∈ OK such that `d α ∈ Z[π], where π ∈ OK corresponds to the p-power Frobenius endomorphism of J; and a real number  > 0. The algorithm outputs true or false. Suppose J[`d ] ⊂ J(Fq ). If α is an endomorphism of J, then the algorithm outputs true. If α is not an endomorphism of J, then the algorithm outputs false with probability at least 1 − . 1. Compute a0 , a1 , a2 , a3 such that α satisfies equation (5.7). 2. Set N to be

  d 1 if `d > 2 d−log` 2 (− log`  + 3d)e N←  max{d−2 log e + 6, 16} if `d = 2. 2

3. Compute #J(Fq ) = `s m, where ` - m. 4. Set i ← 1. 5. Choose a random point Pi ∈ J(Fq ). Set Qi ← [m]Pi . Repeat until [`d ]Qi = O and [`d−1 ]Qi 6= O. 6. Compute [a0 ]Qi + [a1 ] Frobp (Qi ) + [a2 ] Frobp2 (Qi ) + [a3 ] Frobp3 (Qi )

(5.8)

in J(Fq ). If the result is nonzero output false. 7. If i < N , set i ← i + 1 and go to Step (5). 8. Output true. Proof. By [34, Corollary 9], α is an endomorphism of J if and only if the expression (5.8) is O for all `d -torsion points Q. Furthermore, it suffices to check this expression only on a basis of the `d -torsion. Step (5) repeats until we find a point Qi of exact order `d ; the assumption J[`d ] ⊂ J(Fq ) guarantees that we can find such a point. The algorithm computes a total of N such points Qi . Thus if the set of Qi span J[`d ], then the algorithm will output true

115 or false correctly, according to whether α ∈ End(J). We must therefore compute a lower bound for the probability that the set of Qi computed span J[`d ]. To compute this bound, we will compute an upper bound for the probability that N points of exact order `d do not span J[`d ]. We will make repeated use of the following inequality, which can be proved easily: if `, d, n, and m are positive integers with ` > 1 and n > m, then `md − `m(d−1) 1 < (n−m)d . n(d−1) nd ` −` ` Next we observe that in any group of the form (Z/`d Z)r , there are `rd −`r(d−1) elements of exact order `d . The probability that a set of N elements does not span a 4-dimensional space is the sum of the probabilities that all the elements span a j-dimensional subspace, for j = 1, 2, 3. We consider each case: • j = 1: All of the Qi are in the space spanned by Q1 , and Q1 can be any element. The probability of this happening is  d N −1  N −1 ` − `d−1 1 < . `3d `4d − `4(d−1) • j = 2: Q1 can be any element, one of the Qi must be independent of Q1 , and the remaining N − 2 elements must be in the same 2-dimensional subspace. There are N − 1 ways to choose the second element, so the total probability is !N −2   2d  N −2 `d − `d−1 ` − `2(d−1) 1 (N − 1) 1 − 4d 1, it suffices to determine the field of definition of the `-torsion points of J. This result allows us to work over much smaller fields in Algorithm 5.4.3, thus saving us a great deal of computation. By Lemma 5.3.2, the prime powers `d input to Algorithms 5.4.3 and 5.5.1 divide the index [OK : Z[π, π]]. Thus a bound on this index gives a bound on the `d that appear.

120 Proposition 5.6.1. Let K be a primitive quartic CM field with discriminant ∆ = ∆(OK ). Suppose π ∈ OK corresponds to the Frobenius endomorphism of the Jacobian of a genus 2 curve defined over Fp . Then

16p2 [OK : Z[π, π]] ≤ √ . ∆

Proof. We showed in the proof of Corollary 5.3.5 that [Z[π, π] : Z[π]] = p. Combining this result with the formula [OK : Z[π]] = [OK : Z[π, π]][Z[π, π] : Z[π]], √ we see that it suffices to show that [OK : Z[π]] ≤ 16p3 / ∆. (Note that ∆ > 0 by [59, Proposition 9.4].) Next, recall that s [OK : Z[π]] = It thus suffices to show that

p

∆(Z[π]) . ∆(OK )

∆(Z[π]) ≤ 16p3 . By definition, p

∆(Z[π]) =

Y

|αi − αj | ,

(5.12)

i 1. Thus if (t − 1)(` − 1) > 1 then π k ≡ 1 (mod pi i conclude that if t > 2 or ` > 2 and the points of

A[`t ]

). We

are defined over the degree-k`

extension of F , then the points of A[`t−1 ] are defined over the degree-k extension of F . If A[`d ] ⊂ A(F 0 ), then by descending induction A[`] ⊂ A(F ) if ` is odd, and A[4] ⊂ A(F2 ) if ` = 2, where F2 is the quadratic extension of F .

124 It remains to show that if A[4] ⊂ A(F2 ), then A[2] ⊂ A(F ). This is equivalent to showing that if π 2 − 1 ∈ 4R then π − 1 ∈ 2R. We prove the contrapositive: suppose π − 1 6∈ 2R. Then there is some prime p over 2 such that vp (π − 1) < vp (2). Since π + 1 = (π − 1) + 2 and vp (π − 1) < vp (2), we must also have vp (π + 1) < vp (2). Multiplying the two expressions gives vp (π 2 − 1) < vp (4), so π 2 − 1 cannot be contained in 4R. We conclude that π 2 − 1 ∈ 4R implies π − 1 ∈ 2R. Corollary 5.6.4. Let J be the Jacobian of a genus 2 curve over Fp , with p > 3, and suppose that End(J) is isomorphic to the ring of integers OK of the primitive quartic CM field K. Let π ∈ OK correspond to the Frobenius endomorphism of J, and let `d be a prime power dividing [OK : Z[π, π]]. Suppose Fpk is the smallest field over which the points of J[`d ] are defined. Then k < 3p6 . Proof. We have ` 6= p by Proposition 5.3.6. By Proposition 5.6.2, the points of J[`] are defined over a field F of degree less than `3 over Fp . By Proposition 5.6.3, the points of J[`d ] are defined over a field L of degree `d−1 over F . Since degrees of extensions multiply, we get k = [L : Fp ] < `d+2 ≤ `3d . By Proposition 5.6.1, `d ≤

16 2 √ p , ∆

where ∆ is the discriminant of the quartic CM field K.

Lemma 5.6.5 below shows that any primitive quartic CM field has ∆ ≥ 125, so `d ≤

√16 p2 . 125

Since k < `3d , we conclude that k < 3p6 . Lemma 5.6.5. Suppose K is a primitive quartic CM field. Then ∆(K) ≥ 125. Proof. Since ∆(Q(ζ5 )) = 125, it suffices to show that no smaller discriminant can occur. The fact that ∆(K) > 0 follows from [59, Proposition 9.4]. Now suppose ∆(K) < 125. √ √ Since ∆(K0 )2 | ∆(K), we must have K0 = Q( 2) or Q( 5), as these are the only two √ real quadratic fields with discriminant less than 12. Since Q( 2) has class number 1, by √ [98, Proposition VI.6.9] Q( 2) has no unramified quadratic extensions, so ∆(K) is strictly √ greater than ∆(K0 )2 . Thus if K0 = Q( 2) then ∆(K) ≥ 128. p √ √ We deduce that K0 = Q( 5) and K must be of the form Q(i a + b 5), with a, b, and a2 − 5b2 positive integers. Since K is primitive, a2 − 5b2 is not a square in Q and its square-free part divides ∆(K)/∆(K0 )2 . It thus suffices to show that the square-free part of √ a2 − 5b2 is at least 5; this follows from the fact that 2 and 3 are inert in Q( 5), so there are no integer solutions to a2 − 5b2 = 2 or 3.

125

5.7

Computing Igusa class polynomials This section combines the results of all of the previous sections into a full-fledged

probabilistic version of Eisentr¨ager and Lauter’s CRT algorithm to compute Igusa class polynomials for primitive quartic CM fields [34, Theorem 1]. Algorithm 5.7.1. The following algorithm takes as input a primitive quartic CM field K not isomorphic to Q(ζ5 ), three integers λ1 , λ2 , λ3 which are multiples of the denominators of the three Igusa class polynomials for K, and a real number  > 0, and outputs three polynomials H1 , H2 , H3 ∈ Q[x]. Heuristically, the polynomials Hi (x) output by the algorithm are with high probability the Igusa class polynomials for K. 1. (Initialization.) (a) Let D be the degree of the Igusa class polynomials for K. (See [132, Theorem 3.1] for the case where the real quadratic subfield K0 has class number 1, and [51, preprint version, Corollary 3.1] for the general case.) (b) Compute an integral basis B for OK , using e.g. [26, Algorithm 6.1.8]. (c) Set p ← 3, B ← 1, H1 , H2 , H3 ← 0, F1 , F2 , F3 ← 0. 2. Set p ← NextPrime(p) until p splits completely in K and p splits into principal ideals b (the reflex field of K). in K 3. (Finding the curves.) Set T1 , T2 , T3 ← {}. For each (j1 , j2 , j3 ) ∈ F3p , do the following: (a) Compute a curve C/Fp with Igusa invariants (j1 , j2 , j3 ), using the algorithms of Mestre [88] and Cardona-Quer [22]. (b) Run Algorithm 5.2.1 with inputs K, p, C. i. If the algorithm outputs false, go to the next triple (j1 , j2 , j3 ). ii. If the algorithm outputs true, let π be one of the possible Frobenius elements it outputs. (c) For each prime ` dividing [OK : Z[π, π]], do the following: i. Run Algorithm 5.4.1 with inputs K, `, π. Let the output be k. ii. Run Algorithm 5.4.3 with inputs Jac(C), Fpk , `, and . If the output is false, go to the next triple (j1 , j2 , j3 ).

126 iii. If `2 divides [OK : Z[π, π]] or

π k −1 `

∈ Z[π], then for each α ∈ B \ Z written

in the form (5.3) with denominator n, do the following: A. Let d be the largest integer such that `d | n. If d = 0, go to the next α. B. Set k 0 ← k`d−1 . 0

C. Run Algorithm 5.5.1 with inputs Jac(C), pk , `d , `nd α, . D. If Algorithm 5.5.1 outputs false, go to the next triple (j1 , j2 , j3 ). Otherwise go to the next α. (d) Adjoin j1 , j2 , j3 to the sets T1 , T2 , T3 , respectively (counting multiplicities). 4. If the size of each set T1 , T2 , T3 is not equal to D, go to Step (2). 5. (Computing the Igusa class polynomials.) For i ∈ {1, 2, 3}, do the following: (a) Compute Fi,p (x) = λi

Q

j∈Ti (x

− j) in Fp [x].

(b) Use the Chinese remainder theorem to compute Fi0 (x) ∈ Z[x] such that Fi0 (x) ≡ Fi (x) (mod B), Fi0 (x) ≡ Fi,p (x) (mod p), and the coefficients of Fi0 (x) are in the interval [−pB/2, pB/2]. (c) If Fi0 (x) = Fi (x), output Hi (x) = λ−1 i Fi (x). If Hi (x) has been output for all i, terminate the algorithm. (d) Set Fi (x) ← Fi0 (x). 6. Set B ← pB, and return to Step (2). Proof. In view of [34, Theorem 1], it suffices to prove that Step (3c) correctly determines the set of curves with End(Jac(C)) = OK . It follows from Section 5.3 that End(Jac(C)) = OK if and only if each of the elements of the generating set listed in Proposition 5.3.7 is an endomorphism. By Algorithm 5.2.1, the π computed in Step (3b) is such that π σ is the Frobenius element of Jac(C) for some σ ∈ Aut(K/Q). By Corollary 5.3.9, End(Jac(C)) = OK if and only if β σ is an endomorphism for each β in the generating set of Proposition 5.3.7. Since elements of Aut(K/Q) preserve OK as a set, [OK : Z[π σ , π σ ]] = [OK : Z[π, π]]. For each ` dividing [OK : Z[π, π]], Steps (3(c)i) and (3(c)ii) test probabilistically whether

(π σ )k −1 `

is an endomorphism for an appropriate k. By Corollary 5.3.4, for any such

` dividing [OK : Z[π, π]] exactly, this suffices to determine whether n` ασ is an endomorphism for each α ∈ B \ Z.

127 By Corollary 5.5.2, if `2 divides [OK : Z[π, π]] then Step (3(c)iii) tests probabilistically whether

n σ α `d

is an endomorphism. The input uses the field Fpk0 because Proposition 5.6.3

implies that if the `-torsion points are defined over Fpk , then the `d -torsion points are defined over Fpk0 . The “heuristic” part of the statement refers to the termination procedure in Step (5), which differs from the corresponding step in [34, Theorem 1]. After the nth prime pn we use the Chinese remainder theorem to compute integer polynomials Fi (x) that, by Q Theorem 5.1.2, are the Igusa class polynomials for K modulo Bn = nj=1 pj . If for some i the Fi (x) agree for the nth and (n + 1)th primes, then with high probability the coefficients of λi Hi (x) ∈ Z[x] are less than Bn+1 , and thus Fi (x) is equal to Hi (x) itself. This conclusion is justified by the fact that if an integer m has the property that it is the same modulo Bn and modulo Bn+1 , then m = an +rn Bn = an+1 +rn+1 Bn+1 , with an = an+1 < Bn . It follows that pn+1 divides rn . Since the probability of this happening for a random number rn is 1/pn+1 , the probability that all coefficients would simultaneously satisfy this congruence is (1/pn+1 )D , so heuristically we expect that ri+1 is actually zero for each coefficient. Remark 5.7.2. The λi input into the algorithm can be taken to be products of primes bounded in [54], raised to a power that will be made explicit in forthcoming work. In practice, the power can be taken to be a small multiple of 6. Our version of the algorithm minimizes the amount of computation by terminating the algorithm in Step (5c) as soon as the polynomials agree modulo two consecutive primes. Since we check after every prime pi whether the algorithm is finished, we do not need to know in advance the number of primes pi that we will need to use. Thus the only bounds that need to be computed in advance are the bounds λi on the denominators of the coefficients of the Igusa class polynomials. In particular, we do not need to have a bound on either the numerators or the absolute values of the coefficients.

5.8

Implementation notes Our most significant observation is that in practice, the running time of the probabilis-

tic CRT algorithm is dominated by generating p3 curves for each small p. Steps (3a) and (3b) of Algorithm 5.7.1 generate a list of curves C for which End(Jac(C)) is an order in OK . Algorithms 5.4.3 and 5.5.1 determine which endomorphism rings are equal to OK . Data

128 comparing the relative speeds of these two parts of the algorithm appear in Section 5.9. This section describes a number of ways to speed up Algorithm 5.7.1, which are reflected in the running times that appear in Section 5.9. 1. If p and k are large, then the extra time required to do arithmetic on J(Fpk ) can slow down Algorithms 5.4.3 and 5.5.1 considerably. Since for various ` dividing the index [OK : Z[π, π]], the extension degrees k depend only on the prime p and the CM field K and not on the curve C, these extension degrees may be computed in advance (via Algorithm 5.4.1) before generating any curves. We set some bound N and tell the program that if the extension degree k for some ` is such that pk > N , we should p √ skip that p and go on to the next prime. For example, if K = Q(i 13 + 2 13) and p = 53 (see Example 5.9.2), we have [OK : Z[π, π]] = 32 · 43, and the 43-torsion of a Jacobian J with End(J) = OK will be defined over Fp924 , a field of over 5000 bits that is far too large for our current implementation to handle efficiently. 2. In a similar vein, since the speed of Algorithms 5.4.3 and 5.5.1 is determined by the size of the fields Fpk , for optimum performance one should perform these calculations in order of increasing k, so that as the fields get larger there are fewer curves to check. 3. Algorithms 5.4.3 and 5.5.1 take a single curve as input. In Algorithm 5.7.1 those algorithms are executed with the same field K and many different curves, so any parameter that only depends on the field K and the prime p can be precomputed and stored for repeated reference. For example, the representation α = (a0 + a1 π + a2 π 2 + a3 π 3 )/n and the extension degrees k in Step (3(c)i) can be computed only once. In addition, all of the curves that pass Step (3b) have one of a small number of given zeta functions. Since #J(Fpk ) is determined by the zeta function, this number can also be computed in advance. 4. If Fpk is small enough, it may be faster to check fields of definition using the brute force method of Section 5.4.1, rather than Algorithm 5.4.3. If ` is small (as must be the case for k to be small), then we often find that #J(Fpk ) = `s m with s  4d, and thus the number of random points needed in Algorithms 5.4.3 and 5.5.1 will be very large. While computing the group structure is an exponential-time computation, we find that if the group has size at most 2200 , MAGMA can compute the group structure fairly quickly.

129 5. If Step (5c) has already output Hi (x) for some i, the roots of this polynomial mod p can be used as the possible values of ji in Step (3). This will greatly speed up the calculation of the Fi,p for the remaining primes: if one Hi has been output then only p2 D curves need to be computed (instead of p3 ), and if two Hi have been output then only pD2 curves need to be computed. 6. In practice, for small primes p (p < 800 in our MAGMA implementation), computing #C(Fp ) (Step (5b) of Algorithm 5.2.1) is more efficient than choosing a random point on J(Fp ) and determining whether it is killed by one of the potential group orders (Step (5a) of Algorithm 5.2.1), so these two steps should be switched for maximum speed. However, as p grows, the order of the steps as presented will be the fastest. 7. Finally, we note that Algorithm 5.7.1 can easily be parallelized. One could assign to each processor a different prime p for which to compute curves, with a central processor combining the results via the Chinese remainder theorem. Or some processors could compute curves, some could run Algorithm 5.4.3, and some could run Algorithm 5.5.1. These two algorithms could even themselves be parallelized, with each processor computing a different random point on the Jacobian, and the central processor tallying which ones pass or fail the appropriate test.

5.9

Examples

This section describes the performance of Algorithm 5.7.1 on three quartic CM fields: p p p √ √ √ Q(i 2 + 2), Q(i 13 + 2 13), and Q(i 29 + 2 29). These fields are all Galois and have class number 1, so the density of primes with the desired splitting behavior is maximal. The Igusa polynomials are linear; they have integral coefficients for the first two fields, and have denominators dividing 512 for the last. In all three examples, as p grows the running time of the algorithm becomes dominated by the computation of p3 curves for each p, whereas it was previously suspected that the endomorphism ring computation would be the slow step in the CRT algorithm. A fast implementation in C to produce the curves from their Igusa invariants and to test the numbers of points would thus significantly improve the running time of the CRT algorithm. Details of the algorithms’ execution are given below. The algorithms were run on a 2.39 GHz AMD Opteron with 4 GB of RAM. The table headings have the following

130 meaning: • p: Size of prime field over which curves were generated. • `d : Prime powers appearing in the denominators n of elements α input into Algorithms 5.4.3 and 5.5.1, when written in the form (5.3). • k: Degrees of extension fields over which `d -torsion points are expected to be defined. These are listed in the same order as the corresponding `d . • Curves: Time taken to generate p3 curves and determine which have CM by K (cf. Algorithm 5.2.1). • #Curves: Number of curves computed with CM by K. • 5.4.3 & 5.5.1: Time taken to run Algorithms 5.4.3 and 5.5.1 to find the single curve whose Jacobian has endomorphism ring equal to OK . p √ Example 5.9.1. We ran Algorithm 5.7.1 with K = Q(i 2 + 2) and λ1 , λ2 , λ3 = 1. The results appear in Table 5.1. The last column of the table shows the intermediate polynomials Fi (x) computed via the Chinese remainder theorem in Step (5b). The algorithm output the Fi (x) listed for p = 151 as the Igusa class polynomials of K. The total time of this run was 3162 seconds, or about 53 minutes. We observe that the polynomials F2 and F3 agree for p = 103 and p = 113. We deduce that these polynomials are the correct Igusa polynomials, and following note (5) of Section 5.8, we use their roots for the values of j2 and j3 for p = 151. Thus instead of computing 1513 ≈ 222 curves, we need to compute only 151 curves, out of which we can easily choose the right one. As a result, the computation for p = 151 takes practically no time at all. The same phenomenon also appears for the last prime in Examples 5.9.2 and 5.9.3. p √ Example 5.9.2. We ran Algorithm 5.7.1 with K = Q(i 13 + 2 13) and λ1 , λ2 , λ3 = 1. The results appear in Table 5.2. The algorithm output the following Igusa class polynomials: x − 1836660096,

x − 28343520

x − 9762768.

The total time of this run was 6969 seconds, or about 116 minutes. In this example we skip some primes because Algorithms 5.4.3 and 5.5.1 would need to compute in fields which are too large to be practical. In particular, for p = 29, 53, 107, 139, the algorithms

131 p √ Table 5.1: Results for Algorithm 5.7.1 run with K = Q(i 2 + 2) and λ1 , λ2 , λ3 = 1. p

`d

k

Curves

#Curves

5.4.3 & 5.5.1

7

2,4

2,4

0.5 sec

7

0.3 sec

17

4,8

2,4

4 sec

39

0.2 sec

23

2,4,7

2,4,3

9 sec

49

2.3 sec

71

2,4

2,4

255 sec

7

0.7 sec

97

4,8

2,4

680 sec

39

0.3 sec

103

2,4,17

2,4,16

829 sec

119

17.6 sec

113

7,8,32

6,4,16

1334 sec

1281

28.8 sec

151

2,4,7,17

2,4,6,16

0.2 sec

1

–

Fi (x) x+2 x+5 x+6 (mod 7) x − 54 x + 19 x−8 (mod 119) x + 1017 x + 852 x + 111 (mod 2737) x − 75619 x + 28222 x − 46418 (mod 194327) x − 8237353 x + 9355918 x + 9086951 (mod 18849719) x + 104860961 x − 28343520 x − 9762768 (mod 1941521057) x − 1836660096 x − 28343520 x − 9762768 (mod 219391879441) x − 1836660096 x − 28343520 x − 9762768 (mod 33128173795591)

would run over extension fields of degree 264, 924, 308, 162, all of which have well over 1000 bits. Skipping these primes has no effect on the ultimate outcome of the algorithm. p √ Example 5.9.3. We ran Algorithm 5.7.1 with K = Q(i 29 + 2 29) and λ1 , λ2 , λ3 = 512 . The results appear in Table 5.3. The algorithm output the following Igusa class polynomials: x−

2614061544410821165056 , 512

x+

586040972673024 , 56

x+

203047103102976 . 56

The total time of this run was 56585 seconds, or about 15 hours, 43 minutes. In this example we again skip some primes because the fields input to Algorithms 5.4.3 and 5.5.1 would be too large. We also note that for p = 7, OK = Z[π, π], so any curve over F7 that has a correct zeta function already has CM by all of OK , and we do not need to run Algorithms 5.4.3 and 5.5.1.

132 p √ Table 5.2: Results for Algorithm 5.7.1 with K = Q(i 13 + 2 13) and λ1 , λ2 , λ3 = 1. p 29 53 61 79 107 113 131 139 157 191

`d 3,23 3,43 3 27 9,43 3,53 9,53 9,243 9,81 3,4,8

k 2,264 2,924 2 18 6,308 1,52 6,52 6,162 6,54 2,2,4

Curves – – 167 sec 376 sec – 1118 sec 1872 sec – 3147 sec 0.2 sec

#Curves – – 9 81 – 159 477 – 243 1

5.4.3 & 5.5.1 – – 0.2 sec 8.1 sec – 137.2 sec 127.4 sec – 16.5 sec –

Remark 5.9.4. The data in Examples 5.9.1, 5.9.2, and 5.9.3 suggest that odd primes dividing the index [OK : Z[π, π]] always split in OK0 , the ring of integers of K0 . In fact the factorization of the index [OK : Z[π, π]] was given in [34, Proposition 5] for primitive quartic √ √ CM fields K when K0 has class number 1. We write π = c1 + c2 d + (c3 + c4 d)η, where p √ the ci are rational numbers with only powers of 2 in the denominators and η = i a + b d with a, b, d ∈ Z, d > 0 and square-free. Then the index is, up to powers of 2, the product of c2 with (c23 − c24 d), where c2 is the index of Z[π + π] in OK0 up to a power of 2. If a prime divides (c23 −c24 d) exactly, then the prime splits in K0 . Thus primes different from 2 dividing the index [OK : Z[π, π]] exactly either split in K0 or divide the index [OK0 : Z[π + π]]. So except possibly for primes dividing c2 , no odd primes dividing the index [OK : Z[π, π]] exactly are inert or totally ramified in K. If K is Galois, then this is enough to ensure that the extension degree k determined by Proposition 5.6.2 is at most `2 . This agrees with the data in our examples, all of which considered Galois fields. In practice, if a prime ` is inert or totally ramified in K, it would almost certainly be skipped anyway, since Proposition 5.6.2 shows that the `-torsion may be defined over an extension field of degree k ∼ `3 , which is too large to be practical (cf. Note (1) of Section 5.8). The theoretical running times of Algorithms 5.4.3 and 5.5.1, given by Propositions 5.4.6 and 5.5.5 respectively, improve if inert or ramified primes ` are not considered. The slow step of both algorithms is computing a random point on J(Fpk ), which takes roughly O(k 2 log k(log p)2 ) operations in Fp . Since the bound on ` given by Proposition 5.6.1 is p2 , if k is bounded by `2 instead of `3 , this step would run in O(p8 log3 p) instead of O(p12 log3 p)

133 p √ Table 5.3: Results for Algorithm 5.7.1 with K = Q(i 29 + 2 29) and λ1 , λ2 , λ3 = 512 . p 7 23 53 59 83 103 107 139 181 197 199 223 227 233 239 257 277

time.

`d – 13 7 4,5,8 3,5 67 7,13 7,25 9,27 5,109 25 4,8,23 109 5,7,13 7,109 3,7,13 5,7,23

k – 84 6 2,12,4 4,24 1122 6,42 2,60 6,18 24,5940 60 2,4,22 1485 8,3,28 6,297 4,6,84 24,6,22

Curves 0.3 sec 9 sec 105 sec 164 sec 431 sec – 963 sec 2189 sec 84 min – 106 min 174 min – 193 min – 286 min 0.3 sec

#Curves 1 15 7 322 77 – 105 259 161 – 37 1058 – 735 – 1155 1

5.4.3 & 5.5.1 – 70.7 sec 0.5 sec 6.4 sec 9.8 sec – 69.3 sec 62.1 sec 3.6 sec – 1355.3 sec 35.1 sec – 141.6 sec – 382.8 sec –

134

Appendix A

Parameters for Pairing-Friendly Abelian Varieties A.1

Elliptic curves with embedding degree 10 In this section we give results of the execution of Algorithm 3.1.4 with inputs MinBits = 148,

MaxBits = 512,

MaxD = 2 · 109 .

Mike Scott implemented the computations in C++/NTL [116] and recorded the data [111].

A.1.1

Curves of prime order

Scott’s search found 23 curves of prime order over fields of size between 149 and 491 bits. Below we give the field size p, the group size r, and the CM discriminant D for each curve. A curve equation can be determined by computing the Hilbert class polynomial for √ the ring of integers of Q( −D) and finding a curve E/Fp whose j-invariant is a root of the class polynomial mod p. p D p r

= = = =

149 bits, r = 149 bits, 1666603 503189899097385532598615948567975432740967203 503189899097385532598571084778608176410973351

p D p r

= = = =

167 bits, r = 167 bits, 1744734787 122422753977607994982409086499580592436601185116163 122422753977607994982409064370617311016660704117271

135

p D p r

= = = =

171 bits, r = 171 bits, 185395987 2083326357803400732502230568736017478475832590830203 2083326357803400732502230477449077387279857998559851

p D p r

= = = =

171 bits, r = 171 bits, 190795843 2887834593705647033580742041459784997141562959984683 2887834593705647033580741933982632193289394044378051

p D p r

= = = =

172 bits, r = 172 bits, 1141200763 3590763702973812504360796554304334129856335904471043 3590763702973812504360796434458371277971959142005761

p D p r

= = = =

180 bits, r = 180 bits, 990757243 1122293530976362393523272676815272452781072693342838723 1122293530976362393523272674696505329214764008749287671

p D p r

= = = =

188 bits, r = 188 bits, 648666907 284980960902604464050497768248655074807567725439635139163 284980960902604464050497768214892316572932660953073087771

p D p r

= = = =

193 bits, r = 193 bits, 1649528323 10276457192485052926515801660118541136204219447539307223723 10276457192485052926515801659915795411785823359612422215171

p D p r

= = = =

196 bits, r = 196 bits, 579003643 61099963271083128746073769567944870354270161646150914794603 61099963271083128746073769567450502219087145916434839626301

p D p r

= = = =

234 bits, r = 234 bits, 1227652867 18211650803969472064493264347375950045934254696657090420726230043203803 18211650803969472064493264347375949776033155743952030750450033782306651

p D p r

= = = =

252 bits, r = 252 bits, 1039452307 6462310997348816962203124910505252082673338846966431201635262694402825461643 6462310997348816962203124910505252082512561846156628595562776459306292101261

p = 264 bits, r = 264 bits, D = 838990723 p = 2266583877336174248954828778866366915045677650514207126236707822637021357924 1243

136

r = 2266583877336174248954828778866366915044725477446464465443703904128748041224 6011 p = 273 bits, r = 273 bits, D = 1683538387 p = 9947942326664232376099280584264295214470696885466482930742141225735418341352 714723 r = 9947942326664232376099280584264295214470497406722485839840304615365831963407 761671 p = 291 bits, r = 291 bits, D = 296281483 p = 3799903926819770584524954763142080064763100623954389070885803606052033300857 169141842683 r = 3799903926819770584524954763142080064763100500667667534140077965397493307634 688343579051 p = 301 bits, r = 301 bits, D = 126139963 p = 2295906612971330793819480760277602114548272284485806266835306695945869447204 270532747317643 r = 2295906612971330793819480760277602114548272281455356390680724399984801494716 906367418265011 p = 309 bits, r = 309 bits, D = 944184187 p = 5221197099379961267781663903488686786483742323803025548549776778806185421770 49221041059499163 r = 5221197099379961267781663903488686786483742323346026769585107715970441739161 39398869610147771 p = 315 bits, r = 315 bits, D = 1487526043 p = 3866992284418719041347983674133717559523718678797919412050841166455734551346 5115369973641873883 r = 3866992284418719041347983674133717559523718678758590072954341113311859781255 8823488880436227701 p = 331 bits, r = 331 bits, D = 1431850363 p = 3194192423086417601436539945152712618198781172719622448104297431370955345097 650741456242416736232203 r = 3194192423086417601436539945152712618198781172719509413730355936607591046300 070761686891259023380851 p = 366 bits, r = 366 bits, D = 33555283 p = 1354768560298799684139093162837261769646247750412289972544131164370133270217 65763013460844983529908792964617763 r = 1354768560298799684139093162837261769646247750412289972311342113055532163255

137

39360593097745238140316627358904871 p = 380 bits, r = 380 bits, D = 267410467 p = 2339204943579542056151779470368870295763871924382713042046576405133768299391 477817017385592283876844743840240842883 r = 2339204943579542056151779470368870295763871924382713042043517513214409563986 371399004288311722525198894651108516951 p = 404 bits, r = 404 bits, D = 426205003 p = 2597706591591198405996032563515859958371389023433202635888464161379700952080 8077669674239894701170912925422614734360995883 r = 2597706591591198405996032563515859958371389023433202635888463142025671854986 7090743012661920976463852165330259074440000451 p = 415 bits, r = 415 bits, D = 79434787 p = 5514924090277076006137230618597461392564019339043825049125419095783967700266 9147456448802521736258505173722211451602905634963 r = 5514924090277076006137230618597461392564019339043825049125419048816216677774 5731179928896816225900920099065339403740237043071 p = 491 bits, r = 491 bits, D = 20056963 p = 3422670730140745611063008390984886199083153138113027016016808029034489036281 589838430444475052147319044685739437275217228117724161830578064094716523 r = 3422670730140745611063008390984886199083153138113027016016808029034489036164 582646683257488544781114697550790739462160878161058595302756050379234621

A.1.2

Curves with small cofactors

If we relax the condition of r being prime in Algorithm 3.1.4 and allow a “cofactor” h such that #E(Fq ) = hr, we find many more suitable curves. Below we give parameters for all curves found by Scott with subgroup sizes between 148 and 512 bits and cofactors less than 100. In addition to the field size p, the subgroup size r, and the CM discriminant D, we give the cofactor h as well as the ρ-value log q/ log r. Equations for the curves can again be constructed via the CM method. p = r = D = p = r = h = rho

156 bits, 152 bits 1163411323 46491799279065281262949845565372377478096005643 4226527207187752842086310393293720919304143751 11 = 1.022824553

138

p = r = D = p = r = h = rho

173 bits, 168 bits 26906587 10138978787899014979556710182668437938887966202371323 327063831867710160630861612299465986114696409316341 31 = 1.02952336

p = r = D = p = r = h = rho

178 bits, 174 bits 776358547 249780845441118230976458804143017684580147331902502683 22707349585556202816041709376677826345225287399591391 11 = 1.019890545

p = r = D = p = r = h = rho

191 bits, 188 bits 125434987 2302786396545700640267130213442885812764589522451036711123 209344217867790967297011837576991918136381336797313337661 11 = 1.018490355

p = r = D = p = r = h = rho

198 bits, 193 bits 1464898147 207996980122469265501634927384037072390157655791953255691043 6709580003950621467794675076874998021665222373884114537081 31 = 1.025790194

p = r = D = p = r = h = rho

200 bits, 195 bits 119064067 924570000037739879129633918438761462867977388441529697158443 29824838710894834810633352207639947471175907455080071883331 31 = 1.025504446

p = r = D = p = r = h = rho

202 bits, 198 bits 744549043 3449357194062223679948590120941515953738570688614483618428523 313577926732929425449871829176163769518688591712698359927511 11 = 1.017503473

p = 207 bits, r = 202 bits

139

D = p = r = h = rho

448871083 137031017855675817387778232371363032752988715283991332977952203 4420355414699219915734781689398052280751064640028692983014221 31 = 1.024591482

p = r = D = p = r = h = rho

206 bits, 203 bits 164930707 85329001180125284730411332555603275938544233454665921565241803 7757181925465934975491939323234981927173223552660334356513241 11 = 1.017102936

p = r = D = p = r = h = rho

219 bits, 216 bits 40319947 837560881553094601656898126335293801745314988531201407758920596923 76141898323008600150627102394117451943478921237940702343764319361 11 = 1.016050657

p = r = D = p = r = h = rho

233 bits, 227 bits 1651027 9864054284671734266547148769747226053832768336180415355821151502376483 161705807945438266664707356881102063199948811046090068924437131475941 61 = 1.026174508

p = r = D = p = r = h = rho

239 bits, 235 bits 1600012003 447171559055497502385048769148266703338701827010046072982567143631364283 40651959914136136580458979013478791091025825243672251775637104184579841 11 = 1.014748707

p = r = D = p = 63 r = 1 h = rho

257 bits, 254 bits 546540763 2062788121713387297069689367776270007602550698170513561749517476676130997847 1875261928830352088245172152523881825084970102461130238894243334439547141051 11 = 1.013653479

p = 261 bits, r = 258 bits

140

D = p = 563 r = 61 h = rho

1874162947 3091701852274731464061284916573302514227505246398656211391303573339957213242 2810638047522483149146622651430275012930898726559765394195428324625634832050 11 = 1.013446207

p = 288 bits, r = 283 bits D = 131545147 p = 2505599572590219629537321870173155631004078127016113277041767364024177321643 86483115483 r = 8082579266420063321088135065074695583884121969143217032374357632380849197164 283969771 h = 31 rho = 1.017564536 p = 292 bits, r = 286 bits D = 646182403 p = 7404707569865514308061323755615540853577368914336780475316695443041139047073 971836925163 r = 1213886486863199066895298976330416533373339138071403188021098895767921769573 93361142111 h = 61 rho = 1.020739349 p = 303 bits, r = 299 bits D = 46195603 p = 1617236167366554381642365517953905247071558836026242105110302503283020071347 3422635764905483 r = 5216890862472756069814082315980339506682447855554660019612457442177096658999 47504458831021 h = 31 rho = 1.016622879 p = 350 bits, r = 346 bits D = 1073269963 p = 1502350023383639723385357529354982766471102956845724615448825737420718964992 472747493168392511848802347723 r = 1365772748530581566713961390322711605882820869859749579935004743045093880634 99077709249619225709885654311 h = 11 rho = 1.010000374 p = 423 bits, r = 420 bits

141

D = 57667387 p = 1953902619039024799944980318911451435506493631046574006219161845845462017097 9645740800898070801638548999046997998642389239186443 r = 1776275108217295272677254835374046759551357846405976369290147131783093275474 919693954438061919954548589818917467978601908655751 h = 11 rho = 1.008248687 p = 444 bits, r = 440 bits D = 1607123107 p = 2855016011415369269978748558244776181428735542065753952674014405191070317040 2528952046925926212430140747061540536752185756007120500723 r = 2595469101286699336344316871131614710389759583696139956976376731990910609130 072939173476788939185257200190933150489230416327590750061 h = 11 rho = 1.007864659 p = 447 bits, r = 441 bits D = 1817751043 p = 2539184042402334433762107652909933121839744999744747431237518650296046787450 16212253759596816479215985760212421554524984805830355452883 r = 3576315552679344272904376975929483270196823943302461170757068521543279001553 517561957648098009100642298696873078639216201681270002281 h = 71 rho = 1.013966129 p = 475 bits, r = 471 bits D = 979125307 p = 5633658922340774148141720951841893143660810560749703229595185820377818141966 0975778630631263022704709935860464465151482184559035892069814412243 r = 5121508111218885589219746319856266494237100509772457481450168927616198267723 124993217938487764161482592053282429637136443612356285630777992251 h = 11 rho = 1.007348791 p = 476 bits, r = 473 bits D = 65006443 p = 1690481690806419763378275426356214819764443825447811570898028710317441328911 38707647707700190727551832804056035598601806961044383111070615427603 r = 1536801537096745239434795842142013472513130750407101428089117009379492109716 6304730765126839016510565041656664336961206271812456711656513850141 h = 11 rho = 1.007324126

142

A.2

Families of pairing-friendly abelian surfaces Below we give data and example curves for all of the families of abelian surfaces with

ρ < 8 that we found using Algorithm 4.4.9. For each family we give the following data: • the embedding degree k, • the CM field K and polynomial r(x) input into Algorithm 4.4.9, • the π(x) output by the algorithm, and • the ρ-value of the family (π, r). We also give an example curve in each family. We used Algorithm 2.2.4 to find a value x0 for which q(x0 ) = π(x0 )π(x0 ) is prime and r(x0 ) has a large prime factor. Since we are looking for varieties with prime-order subgroups of at least 160 bits, we input the value y0 = 2b160/ deg rc+1 into Algorithm 2.2.4. Given the output, we then used CM methods to construct a curve over Fq(x0 ) whose Jacobian has the specified number of points. We give our results in the following format: • The values x0 and h output by Algorithm 2.2.4, as well as the values of a and b used in Step (1) of that algorithm, • a genus 2 curve C over Fq(x0 ) whose Jacobian has CM by K, • the number of Fq(x0 ) -rational points on Jac(C), • the bit size of the prime-order subgroup of Jac(C) (i.e., of r(x0 )/h), and • the ρ-value of Jac(C) with respect to r(x0 )/h. In all cases except the k = 6 example, we started with a curve defined over Q whose Jacobian has CM by K and found the appropriate twist of the curve’s reduction modulo q(x0 ). Equations for these curves are given by van Wamelen [124]. The remaining case uses a CM field K for which there are no curves over Q with CM by K. In this case we used the database maintained by David Kohel [69] to compute the absolute Igusa invariants of C, and then constructed C via Mestre’s algorithm [88]. We note that some of van Wamelen’s curve equations are non-monic and/or of degree 6. Monic, degree-5 models of these curves can easily be obtained by a change of variables; we chose to keep van Wamelen’s equations in order to minimize the size of the coefficients.

143 For completeness, we repeat here the examples that appear in Section 4.5. Note that the values of π(x) below may differ from those in the examples of Section 4.5 due to different choices of αi and βi in Algorithm 4.4.9. In most cases these will be a permutation of the earlier choices and the q(x) obtained will be the same. The MAGMA notation K.1 indicates a root of the polynomial defining the number field K. Embedding degree 5 CM field K = Number Field with defining polynomial x^4 + x^3 + x^2 + x + 1 over the Rational Field r(x) = x^4 + x^3 + x^2 + x + 1 pi(x) = 1/5*(-2*zeta_5^2 - zeta_5 - 2)*x^4 + 1/5*(-2*zeta_5^3 - zeta_5^2 2*zeta_5 - 5)*x^3 + 1/5*(-zeta_5^3 - 4*zeta_5^2 - 4*zeta_5 - 6)*x^2 + 1/5*(-2*zeta_5^3 - zeta_5^2 - 2*zeta_5 - 5)*x + 1/5*(-2*zeta_5^2 - zeta_5 2) rho-value 4 a = 5 b = 1 h = 5 x0 = 10995116291056 C = Hyperelliptic Curve defined by y^2 = x^5 + 5 over GF(4271974113170158352922565429523480161162274995258808768382589143894437821741\ 2350245394857724760697377581) #Jac(C) = 182497628235959609266207886820153866793595155746736415067063102859215\ 7865839328215546950380612794246312062400499119897003331070295500581706041284897\ 362019684550729676049506454942440045788093700846840308060655 172 bit subgroup rho = 4.027 *

*

*

*

*

*

*

*

*

*

*

*

*

Embedding degree 6 CM field K = Number Field with defining polynomial x^4 + 12*x^2 + 18 over the Rational Field r(x) = x^16 - x^8 + 1 pi(x) = 1/576*(-K.1^2 - 6)*x^30 + 1/96*K.1*x^29 + 1/288*(-2*K.1^2 21)*x^28 + 1/144*(-K.1^3 - 9*K.1)*x^27 + 1/288*(K.1^2 + 6)*x^26 + 1/288*(-K.1^3 - 9*K.1)*x^25 + 1/96*(K.1^2 + 6)*x^24 + 1/288*(K.1^3 + 9*K.1)*x^23 + 1/192*(K.1^2 + 6)*x^22 + 1/288*(2*K.1^3 + 15*K.1)*x^21 + 1/288*(2*K.1^3 + 15*K.1)*x^19 + 1/192*(-K.1^2 - 6)*x^18 + 1/288*(K.1^3 + 9*K.1)*x^17 + 1/96*(-K.1^2 - 6)*x^16 + 1/288*(-5*K.1^3 - 57*K.1)*x^15 + 1/192*(-K.1^2 - 6)*x^14 + 1/288*(-10*K.1^3 - 63*K.1)*x^13 + 1/96*(-2*K.1^3 - 13*K.1)*x^11 + 1/192*(K.1^2 + 6)*x^10 + 1/96*(K.1^3 + 13*K.1)*x^9 + 1/96*(K.1^2 42)*x^8 + 1/96*(-K.1^3 - 13*K.1)*x^7 + 1/288*(K.1^2 + 6)*x^6 + 1/48*(K.1^3 + 7*K.1)*x^5 + 1/288*(-2*K.1^2 - 21)*x^4 + 1/288*(8*K.1^3 + 45*K.1)*x^3 + 1/576*(-K.1^2 - 6)*x^2 + 1/72*(K.1^3 + 12*K.1)*x + 1 rho-value 15/2

144

a = 8 b = 0 h = 1 x0 = 19728 C = Hyperelliptic Curve defined by y^2 = x^5 + 104476561097897042684174178777913757127480611874140125951762119695005347022\ 689037615756963898957612831252226186830021116323303398849607118538655278405\ 724072152533241220032460772424008286264157903569767495876175783726705983001\ 57209423260265552363163357973*x^3 + 246668188228028038893281869877032092006\ 897632953427495712421544478972179857819407146128038795884795921201167932509\ 677650696198593765200679575491798462406897341389831787348799779921428437163\ 56704761017061259227798876997057734309102996883788275930382898921*x^2 + 256471144458030134474403365368509112960523939625723433197784865400604669687\ 243648142595453858692192576662774819603049915763053817358113477707921095969\ 796011818910552751436236487983479546199989671534206637033276549051201745790\ 72483838524402093949726278018*x + 74730560656145474320378392122708975055549\ 904324925363657022729152018620506996835469497296554172288467105729863232839\ 794388703131283609452223570789975704946810922352537819876174253735529674419\ 18363427334534096246293725512302509521725888683185636143153803 over GF(2750496620499129720252485580903561684169489374849236519442995528958496591300\ 1692113042934991731677065609567131389847124725576638776032113179784371373115571\ 9997218945562572182640487393890532391901547290863755777806010350864473419536329\ 42051315952537054161) #Jac(C) = 756523165937713361724114475138729043120398921470617643364304030580212\ 5674249871678278460099412586036105471111615849908291730698624635883286149262350\ 3504229880398287175019406123330510484765806412871017125490685774246737404684064\ 8923655212225775355386138903636080508237406221645557917136992466421582893883191\ 0611259968114190007806904634847252361780147182309951438188841814605596231171265\ 6769589180406640514598547662799973240478472462918895939601394504360891236694788\ 8389519721703413476765061113255768898325632 229 bit subgroup rho = 7.376 *

*

*

*

*

*

*

*

*

*

*

*

*

Embedding degree 8 CM field K = Number Field with defining polynomial x^4 + 10*x^2 + 20 over the Rational Field r(x) = x^16 - x^12 + x^8 - x^4 + 1 pi(x) = 1/200*(-K.1^3 - K.1^2 - 10*K.1 + 5)*x^30 + 1/400*(-5*K.1^3 6*K.1^2 - 20*K.1 + 10)*x^29 + 1/200*(-9*K.1^3 - 11*K.1^2 - 60*K.1 - 95)*x^28 + 1/200*(-9*K.1^3 - 7*K.1^2 - 30*K.1 - 25)*x^27 + 1/100*(2*K.1^3 - 7*K.1^2 + 15*K.1 - 55)*x^26 + 1/200*(-2*K.1^3 + 17*K.1^2 - 20*K.1 + 75)*x^25 + 1/400*(19*K.1^3 + 46*K.1^2 + 100*K.1 + 290)*x^24 + 1/200*(16*K.1^3 - 7*K.1^2 + 70*K.1 - 45)*x^23 + 1/400*(7*K.1^3 + 4*K.1^2 + 40*K.1 + 120)*x^22 + 1/80*(5*K.1^3 6*K.1^2 + 36*K.1 - 6)*x^21 + 1/100*(-3*K.1^3 - 8*K.1^2 - 25*K.1 75)*x^20 + 1/20*(-2*K.1^3 + 2*K.1^2 - 7*K.1 + 12)*x^19 + 1/80*(K.1^3 - 2*K.1^2 - 30)*x^18 + 1/40*(-K.1^3 + 8*K.1^2 - 10*K.1 + 28)*x^17 + 1/80*(K.1^3 + 10*K.1^2 + 16*K.1 + 62)*x^16 + 1/40*(3*K.1^3 2*K.1^2 + 10*K.1 - 24)*x^15 + 1/80*(3*K.1^3 + 10*K.1^2 + 24*K.1 +

145

70)*x^14 + 1/40*(3*K.1^3 - 8*K.1^2 + 18*K.1 - 28)*x^13 + 1/80*(-K.1^3 - 2*K.1^2 - 8*K.1 - 22)*x^12 + 1/20*(-K.1^3 + 2*K.1^2 - 3*K.1 + 12)*x^11 + 1/400*(-7*K.1^3 - 32*K.1^2 - 60*K.1 - 140)*x^10 + 1/400*(-15*K.1^3 + 34*K.1^2 - 80*K.1 + 90)*x^9 + 1/400*(7*K.1^3 12*K.1^2 + 80*K.1 - 80)*x^8 + 1/200*(K.1^3 - 7*K.1^2 - 20*K.1 45)*x^7 + 1/400*(3*K.1^3 + 22*K.1^2 + 20*K.1 + 130)*x^6 + 1/200*(8*K.1^3 - 13*K.1^2 + 50*K.1 - 65)*x^5 + 1/200*(-3*K.1^3 2*K.1^2 - 30*K.1 - 10)*x^4 + 1/200*(-4*K.1^3 - 7*K.1^2 - 20*K.1 25)*x^3 + 1/200*(-4*K.1^3 - 3*K.1^2 - 20*K.1 - 15)*x^2 + 1/80*(-K.1^3 + 2*K.1^2 - 8*K.1 + 10)*x + 1/400*(3*K.1^3 - 2*K.1^2 + 20*K.1 + 10) rho-value 15/2 a = 20 b = 17 h = 1 x0 = 53197 C = Hyperelliptic Curve defined by y^2 = -4*x^5 + 30*x^3 - 45*x + 22 over GF(183204227400473854636631436072536959205840312075941767966633188337034061\ 0994644959345275510791219546049134961531239136171259222769655474765924144283516\ 6076984821850896013592891179326737600501841828855305170012317302516960456953947\ 9039431979971869384014771885909666685245653261793271) #Jac(C) = 335637889374045351052081645066599050488196011356113649757477564960257\ 9313159888238562393418558925893829742614311080003844152666172028867863797598224\ 6233132719727286669079943527366438298311901517812261157014500120685479258427131\ 7626396028654262644092667862786091029519033211541636233994307942135704697581530\ 6794924213384255834028498210109072763403899173414799205603381603000620823452763\ 6835928824802821218842177253141091110052792555465502407597719579359658810265352\ 0040459572849887780840378738039041791571093067528124746449813565209906084027924\ 06104700868004667796 252 bit subgroup rho = 7.439 *

*

*

*

*

*

*

*

*

*

*

*

*

Embedding degree 10 CM field K = Number Field with defining polynomial x^4 + x^3 + x^2 + x + 1 over the Rational Field r(x) = x^4 - x^3 + x^2 - x + 1 pi(x) = 1/25*(2*zeta_5^2 + zeta_5 + 2)*x^6 + 1/25*(2*zeta_5^3 - 9*zeta_5^2 3*zeta_5 - 5)*x^5 + 1/5*(-zeta_5^3 + 2*zeta_5^2 - 2)*x^4 + 1/5*(zeta_5^3 zeta_5^2 + zeta_5 + 5)*x^3 + 1/5*(-2*zeta_5^3 + 3*zeta_5^2 - 2)*x^2 + 1/25*(-3*zeta_5^2 + zeta_5 + 12)*x + 1/25*(-3*zeta_5^3 + 6*zeta_5^2 + 2*zeta_5) rho-value 6 a = 5 b = -1 h = 5 x0 = 10995116288754 C = Hyperelliptic Curve defined by y^2 = x^5 + 2 over GF(2497398870216720358966543601195425675423665402711767589110074453233429403352\ 1458782242579882183246444513999204200096562072084590259096569757625132773095701\ )

146

#Jac(C) = 623700111695975125922504842885296097742566778967316583412995008821862\ 3191220324453348980029083834130125525267271471600298129362349593015347618526647\ 3085613568997471487027760908319704934255193972241765427536712074627429936631084\ 1826673876688442709071645633638506380891594440744121362259645233390880880774439\ 221 172 bit subgroup rho = 6.000 *

*

*

*

*

*

*

*

*

*

*

*

*

Embedding degree 13 CM field K = Number Field with defining polynomial x^4 + 26*x^2 + 117 over the Rational Field r(x) = x^12 + x^11 + x^10 + x^9 + x^8 + x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + x + 1 pi(x) = 1/4056*(-19*K.1^3 + 183*K.1^2 - 377*K.1 + 2301)*x^20 + 1/338*(-2*K.1^3 + 7*K.1^2 - 39*K.1 + 78)*x^19 + 1/4056*(23*K.1^3 + 177*K.1^2 + 481*K.1 + 2535)*x^18 + 1/1352*(7*K.1^3 + 49*K.1^2 + 65*K.1 + 767)*x^17 + 1/2028*(19*K.1^3 + 141*K.1^2 + 221*K.1 + 1755)*x^16 + 1/1352*(K.1^3 + 97*K.1^2 - 65*K.1 + 1183)*x^15 + 1/2028*(31*K.1^3 + 192*K.1^2 + 377*K.1 + 2496)*x^14 + 1/1352*(13*K.1^3 + 173*K.1^2 + 195*K.1 + 2587)*x^13 + 1/26*(3*K.1^2 - 2*K.1 + 39)*x^12 + 1/52*(K.1^3 + 8*K.1^2 + 11*K.1 + 104)*x^11 + 1/312*(5*K.1^3 + 33*K.1^2 + 55*K.1 + 507)*x^10 + 1/78*(2*K.1^3 + 9*K.1^2 + 28*K.1 + 117)*x^9 + 1/312*(5*K.1^3 + 33*K.1^2 + 55*K.1 + 507)*x^8 + 1/4056*(97*K.1^3 + 441*K.1^2 + 1235*K.1 + 5811)*x^7 + 1/338*(2*K.1^3 + 32*K.1^2 + 13*K.1 + 429)*x^6 + 1/2028*(8*K.1^3 + 165*K.1^2 + 52*K.1 + 2535)*x^5 + 1/1352*(19*K.1^3 + 81*K.1^2 + 273*K.1 + 923)*x^4 + 1/338*(-K.1^3 + 9*K.1^2 - 26*K.1 + 130)*x^3 + 1/4056*(23*K.1^3 + 99*K.1^2 + 325*K.1 + 1521)*x^2 + 1/2028*(8*K.1^3 + 3*K.1^2 + 130*K.1 + 39)*x + 1/338*(-K.1^2 - 13) rho-value 20/3 a = 13 b = 1 h = 13 x0 = 240254 C = Hyperelliptic Curve defined by y^2 = -11*x^6 - 2*x^5 - x^4 + 4*x^3 + 7*x^2 6*x + 1 over GF(2002799636412049837164981845555106197370218303245028155833464686136635859226\ 1685959968568186991846522433743098568705390919516922109395585349377301506246701\ 850103759541416747667085567685515616608822513018723014744943) #Jac(C) = 401120638361223902394555489275643787423393512561030549417337796317288\ 8758719196645384506951446346172784296775561818738811020891136096984373628663248\ 1994302326454759156331191760557733522433402438698889627892472799235159998972160\ 6585763649635474062479775930161927004562415887010164546137132021499856693757081\ 4349877688244545783294460252315909251955395715203652016278788929546869396576395\ 21234405613839808733519287646817357040636464 212 bit subgroup rho = 6.754 *

*

*

*

*

*

*

*

*

*

*

*

*

147

Embedding degree 15 CM field K = Number Field with defining polynomial x^4 + x^3 + x^2 + x + 1 over the Rational Field r(x) = x^8 - x^7 + x^5 - x^4 + x^3 - x + 1 pi(x) = 1/25*(zeta_5^3 - zeta_5^2 - zeta_5 + 1)*x^14 + 1/25*(-zeta_5^3 zeta_5^2 + 2)*x^13 + 1/25*(-4*zeta_5^3 + 5*zeta_5^2 + 7*zeta_5 - 3)*x^12 + 1/25*(4*zeta_5^3 + 4*zeta_5^2 + 5*zeta_5 - 8)*x^11 + 1/25*(6*zeta_5^3 6*zeta_5^2 - 6*zeta_5 + 1)*x^10 + 1/25*(-4*zeta_5^3 + 4*zeta_5^2 + 4*zeta_5 - 4)*x^9 + 1/25*(-11*zeta_5^3 + 4*zeta_5^2 - 5*zeta_5 - 8)*x^8 + 1/25*(zeta_5^3 - 5*zeta_5^2 - 3*zeta_5 + 7)*x^7 + 1/25*(4*zeta_5^3 + 4*zeta_5^2 + 10*zeta_5 - 13)*x^6 + 1/25*(zeta_5^3 + 4*zeta_5^2 - zeta_5 4)*x^5 + 1/25*(6*zeta_5^3 - zeta_5^2 + 4*zeta_5 + 11)*x^4 + 1/25*(-6*zeta_5^3 - zeta_5^2 - 13)*x^3 + 1/25*(-4*zeta_5^3 - 3*zeta_5 + 12)*x^2 + 1/25*(4*zeta_5^3 - zeta_5^2 - 3)*x + 1/25*(zeta_5^3 - zeta_5^2 zeta_5 + 1) rho-value 7 a = 5 b = -1 h = 1 x0 = 10486759 C = Hyperelliptic Curve defined by y^2 = x^5 + 1 over GF(3027234587378952134543882421765560418784985527734675952435585748958972474354\ 2473270142066335343669964683388983102454279236242642695011994589036282659389988\ 3068954820877181053781299029288485982281) #Jac(C) = 916414924702341458616104139313541697541032783722029646025587378301253\ 5698319792749215982470949341516977668227591233266892738681969954529491185508689\ 0491823996938980260224326031121942356402075276529770997521314028055391891237569\ 1609265263759434804565077776228869494970249379432566572611667826468222560652864\ 2111259469370832428216535657604907700794445999179896545137196667449050217875314\ 6880 188 bit subgroup rho = 6.925 *

*

*

*

*

*

*

*

*

*

*

*

*

Embedding degree 16 CM field K = Number Field with defining polynomial x^4 + 4*x^2 + 2 over the Rational Field r(x) = x^8 + 1 pi(x) = 1/64*(-K.1^2 - 2)*x^14 + 1/32*(-K.1^2 + 3*K.1 - 2)*x^13 + 1/64*(K.1^2 + 4*K.1 - 16)*x^12 + 1/16*(2*K.1^3 + K.1^2 + 6*K.1 + 5)*x^11 + 1/64*(8*K.1^3 + K.1^2 + 28*K.1)*x^10 + 1/32*(-4*K.1^3 - K.1^2 - 7*K.1 - 2)*x^9 + 1/64*(-8*K.1^3 - K.1^2 - 16*K.1 - 34)*x^8 + 1/8*(K.1^3 + 2*K.1 + 4)*x^7 + 1/64*(8*K.1^3 - K.1^2 + 16*K.1 - 2)*x^6 + 1/32*(-4*K.1^3 - K.1^2 - 13*K.1 - 2)*x^5 + 1/64*(-8*K.1^3 + K.1^2 28*K.1 - 16)*x^4 + 1/16*(K.1^2 - 2*K.1 + 5)*x^3 + 1/64*(K.1^2 4*K.1)*x^2 + 1/32*(-K.1^2 + K.1 - 2)*x + 1/64*(-K.1^2 - 2) rho-value 7 a = 4

b = 3

h = 2

148

x0 = 8392747 C = Hyperelliptic Curve defined by y^2 = -x^5 + 3*x^4 + 2*x^3 - 6*x^2 - 3*x + 1 over GF(3613981589624080293547127629913834115688319997095252947781027398590165644291\ 2388642874221168785104192255608129174893110606527002839942594930765104541658993\ 298502578195396246141241671098576321) #Jac(C) = 130608629301417943032635457294774732934647600264450099739539692981433\ 2002855193632191143886784591621594315352518511974817281176052563661195906834932\ 0463447494022387161045037338508295113916955639553608161902832362972058788273989\ 3786556341085551311055538006474556446452509656079566004240882048933376325778234\ 4643083614619291171862494394434216428309036864555986077240717252116454842368 184 bit subgroup rho = 6.918 *

*

*

*

*

*

*

*

*

*

*

*

*

Embedding degree 20 CM field K = Number Field with defining polynomial x^4 + x^3 + x^2 + x + 1 over the Rational Field r(x) = x^8 - x^6 + x^4 - x^2 + 1 pi(x) = 1/25*(2*zeta_5^3 + 2*zeta_5^2 + 1)*x^12 + 1/25*(-2*zeta_5^3 - 9*zeta_5^2 - zeta_5 - 3)*x^11 + 1/25*(-5*zeta_5^3 + 3*zeta_5^2 - zeta_5 - 2)*x^10 + 1/5*(zeta_5 + 1)*x^9 + 1/5*(zeta_5^3 + zeta_5^2 - zeta_5 - 1)*x^8 + 1/5*(-zeta_5^2 - zeta_5)*x^7 + 1/5*(zeta_5^2 + zeta_5 + 3)*x^6 + 1/5*(zeta_5^3 + 2*zeta_5^2 + 3*zeta_5 + 1)*x^5 + 1/5*(2*zeta_5^3 + zeta_5^2 + 2*zeta_5)*x^4 + 1/5*(zeta_5^3 + 2)*x^3 + 1/25*(-3*zeta_5^3 + 2*zeta_5^2 + 6)*x^2 + 1/25*(-2*zeta_5^3 + zeta_5^2 - zeta_5 - 3)*x + 1/25*(-2*zeta_5^2 zeta_5 - 2) rho-value 6 a = 5 b = 2 h = 5 x0 = 10490607 C = Hyperelliptic Curve defined by y^2 = x^5 + 10 over GF(2525251316400542183250325605065948648876452426655850438437774758507322207801\ 0180517226792727915877794336312301648054314085827449303412564338440988302898960\ 757875722701) #Jac(C) = 637689421098267120689322982380550360241785159377354239792730910693245\ 9410140350213854337105698241010003899920951139340742250366234190808359151556493\ 3132820589218333553985719070980238712654538240301484711588419289346837909821841\ 5501498921413203628711767748990943844373625736065843179114229909058804624321699\ 104948755046639315754039581 185 bit subgroup rho = 6.000 *

*

*

*

*

*

*

*

*

*

*

*

*

Embedding degree 30 CM field K = Number Field with defining polynomial x^4 + x^3 + x^2 + x + 1 over the Rational Field r(x) = x^16 + x^14 - x^10 - x^8 - x^6 + x^2 + 1

149

pi(x) = 1/25*(-4*zeta_5^3 - 6*zeta_5^2 - 6*zeta_5 - 9)*x^28 + 1/25*(-8*zeta_5^3 - 4*zeta_5^2 - 8*zeta_5 - 5)*x^26 + 1/5*(zeta_5^3 + 2*zeta_5^2 + zeta_5 + 2)*x^24 + 1/25*(13*zeta_5^3 + 13*zeta_5^2 + 10*zeta_5 + 9)*x^22 + 1/25*(-zeta_5^3 - 5*zeta_5^2 - 7*zeta_5 - 12)*x^20 + 1/25*(-11*zeta_5^3 4*zeta_5^2 - 9*zeta_5 - 1)*x^18 + 1/25*(-2*zeta_5^3 - zeta_5^2 2*zeta_5)*x^16 + 1/5*(-2*zeta_5^3 - 3*zeta_5^2 - 3*zeta_5 - 4)*x^14 + 1/25*(2*zeta_5^3 + 2*zeta_5^2 + 1)*x^12 + 1/25*(11*zeta_5^3 + 15*zeta_5^2 + 12*zeta_5 + 17)*x^10 + 1/25*(zeta_5^3 + 4*zeta_5^2 - zeta_5 + 1)*x^8 + 1/25*(-8*zeta_5^3 - 9*zeta_5^2 - 13*zeta_5 - 15)*x^6 + 1/5*(zeta_5^3 + 2*zeta_5^2 + zeta_5 + 2)*x^4 + 1/25*(-7*zeta_5^3 - 7*zeta_5^2 - 10*zeta_5 11)*x^2 + 1/25*(-zeta_5^3 - 2*zeta_5 - 2) rho-value 7 a = 5 b = 2 h = 1 x0 = 56837 C = Hyperelliptic Curve defined by y^2 = x^5 + 34 over GF(1598920562615405290257578999086083203958328461341314570831241049337222591230\ 6522723912749529496920583792695409070025011641212282578661612335006721744818179\ 6884030777095691366540913032101983656114366886849757450354778606898208995471085\ 87653569060420961792532978607961) #Jac(C) = 255654696555436418949156634723325034303093081493929693617857293998947\ 7410106466002722812377336380042958793971460375537329262668851194903518609841989\ 6083666019428005680404683897262666485195499753885069557400226876401241106119893\ 9289012478547689778045569335985260195045375311747244803036622931595661768164990\ 9030825665956769545623119342751968634647665201801954211812037475922802353544730\ 1983575072401586903159387276577283205757668179815416344141832520672824461458674\ 3902374123108114393231231743404950740013242056723528984764986527051 254 bit subgroup rho = 6.972 *

*

*

*

*

*

*

*

*

*

*

*

*

Embedding degree 32 CM field K = Number Field with defining polynomial x^4 + 4*x^2 + 2 over the Rational Field r(x) = x^16 + 1 pi(x) = 1/64*(-K.1^2 - 4*K.1 - 10)*x^26 + 1/32*(-K.1^2 - 2*K.1 - 2)*x^25 + 1/64*(-K.1^2 - 2*K.1 - 10)*x^24 + 1/8*x^23 + 1/32*(-4*K.1^3 + K.1^2 13*K.1 + 1)*x^22 + 1/16*(-2*K.1^3 + K.1^2 - 7*K.1 + 3)*x^21 + 1/32*(K.1^2 + K.1 + 1)*x^20 + 1/64*(8*K.1^3 - K.1^2 + 14*K.1 - 2)*x^18 + 1/32*(4*K.1^3 - K.1^2 + 8*K.1 - 2)*x^17 + 1/64*(-K.1^2 - 34)*x^16 + 1/2*x^15 + 1/8*(-K.1^3 - 2*K.1)*x^14 + 1/8*(-K.1^3 - 2*K.1)*x^13 + 1/64*(8*K.1^3 - K.1^2 + 28*K.1 - 10)*x^10 + 1/32*(4*K.1^3 - K.1^2 + 14*K.1 - 2)*x^9 + 1/64*(-K.1^2 - 2*K.1 - 10)*x^8 + 1/8*x^7 + 1/32*(K.1^2 + 3*K.1 + 1)*x^6 + 1/16*(K.1^2 + K.1 + 3)*x^5 + 1/32*(K.1^2 + K.1 + 1)*x^4 + 1/64*(-K.1^2 - 2*K.1 - 2)*x^2 + 1/32*(-K.1^2 - 2)*x + 1/64*(-K.1^2 - 2) rho-value 13/2 a = 4

b = 3

h = 2

150

x0 = 31403 C = Hyperelliptic Curve defined by y^2 = -x^5 + 3*x^4 + 2*x^3 - 6*x^2 - 3*x + 1 over GF(1664851597763743785809567185642170908394691765637708591644330574889\ 4230040170761346342804777327019777627503178525272912300889628687043173375704186\ 9315808385428579603317148665491127754095775571485453444259315254900284462662017\ 92234849) #Jac(C) = 277173084257649053259107230415305745357938414314646328504067266310855\ 1339378074089119899168516637577451826178699856139902294401899952734716291383807\ 1710617301709329178688841085580190603054648671219175084724991172035893384310297\ 4502284089213250217341346744989810567063268377590076111056903197402720102373272\ 0039199980779504605773773322613451717920311823473893087686072225626636979807373\ 9252751557810156456030590968444260512872460254823603877287331989336327815895449\ 6 239 bit subgroup rho = 6.482 *

*

*

*

*

*

*

*

*

*

*

*

*

Embedding degree 40 CM field K = Number Field with defining polynomial x^4 + x^3 + x^2 + x + 1 over the Rational Field r(x) = x^16 - x^12 + x^8 - x^4 + 1 pi(x) = 1/25*(-2*zeta_5^2 - zeta_5 - 2)*x^26 + 1/25*(10*zeta_5^3 - zeta_5^2 + 2*zeta_5 - 1)*x^25 + 1/25*(15*zeta_5^3 + 3*zeta_5^2 - zeta_5 + 3)*x^24 + 1/25*(3*zeta_5^3 + 4*zeta_5^2 + 3*zeta_5 + 5)*x^22 + 1/25*(-zeta_5^3 + 2*zeta_5^2 - 6*zeta_5)*x^21 + 1/25*(-2*zeta_5^3 - 6*zeta_5^2 + 3*zeta_5 5)*x^20 + 1/5*(-zeta_5^3 - zeta_5^2 - zeta_5 - 1)*x^18 + 1/5*(zeta_5^3 + zeta_5 + 1)*x^17 + 1/5*zeta_5^2*x^16 + 1/5*(zeta_5^3 + zeta_5^2 + zeta_5 + 1)*x^14 + 1/5*(-2*zeta_5^3 - 2*zeta_5^2 - 3*zeta_5 - 1)*x^13 + 1/5*(zeta_5^3 + zeta_5^2 + 2*zeta_5)*x^12 + 1/5*(-zeta_5^3 - zeta_5^2 - zeta_5 - 1)*x^10 + 1/5*(2*zeta_5^3 + 2*zeta_5^2 + 2*zeta_5 + 2)*x^9 + 1/5*(-zeta_5^3 - zeta_5^2 - zeta_5 - 1)*x^8 + 1/25*(5*zeta_5^3 + 3*zeta_5^2 + 4*zeta_5 + 3)*x^6 + 1/25*(-10*zeta_5^3 - 6*zeta_5^2 - 8*zeta_5 - 6)*x^5 + 1/25*(5*zeta_5^3 + 3*zeta_5^2 + 4*zeta_5 + 3)*x^4 + 1/25*(-2*zeta_5^3 - zeta_5^2 2*zeta_5)*x^2 + 1/25*(4*zeta_5^3 + 2*zeta_5^2 + 4*zeta_5)*x + 1/25*(-2*zeta_5^3 - zeta_5^2 - 2*zeta_5) rho-value 13/2 a = 5 b = 1 h = 1 x0 = 16041 C = Hyperelliptic Curve defined by y^2 = x^5 + 2 over GF(3760860834940343169364857935779971772124691800989494242247286941150574352189\ 4881882636782558511380682170367358882897604014410592496600452900281405303544654\ 72887517962485279348704094722957573064729660661552378055407081) #Jac(C) = 141440742197881751492516910094691120550840483164868017907339830937420\ 9872909674387816310397435680916137583036471208831843008941137580494645193130377\ 9733762737269036957045405865712110388043423380796601714363799182562609684067128\ 3522485604346179708511992588939442568486055865527585397459063883973880966868105\ 4708451111309230109206909214248093126443038548656208456502812190290196457328851\ 3693683018500272875105832169869341897165160173805

151

225 bit subgroup rho = 6.438 *

*

*

*

*

*

*

*

*

*

*

*

*

Embedding degree 60 CM field K = Number Field with defining polynomial x^4 + x^3 + x^2 + x + 1 over the Rational Field r(x) = x^16 + x^14 - x^10 - x^8 - x^6 + x^2 + 1 pi(x) = 1/25*(2*zeta_5^3 + zeta_5^2 + 2*zeta_5)*x^28 + 1/25*(2*zeta_5^2 + 6*zeta_5 + 2)*x^27 + 1/25*(-8*zeta_5^3 - 7*zeta_5^2 + 3*zeta_5 - 3)*x^26 + 1/25*(-11*zeta_5^3 - 10*zeta_5^2 - 2*zeta_5 - 7)*x^25 + 1/25*(-8*zeta_5^3 2*zeta_5^2 - 2*zeta_5 - 3)*x^24 + 1/25*(-zeta_5^3 + zeta_5^2 + zeta_5 1)*x^23 + 1/25*(10*zeta_5^3 + 8*zeta_5^2 + 9*zeta_5 + 8)*x^22 + 1/25*(4*zeta_5^3 + 2*zeta_5^2 + 4*zeta_5)*x^21 + 1/25*(6*zeta_5^3 + 5*zeta_5^2 + 2*zeta_5 + 2)*x^20 + 1/5*(zeta_5^3 + zeta_5^2)*x^19 + 1/25*(-7*zeta_5^3 - zeta_5^2 - 2*zeta_5)*x^18 + 1/25*(-7*zeta_5^2 - 6*zeta_5 - 2)*x^17 + 1/25*(3*zeta_5^3 + 7*zeta_5^2 - 8*zeta_5 - 2)*x^16 + 1/25*(zeta_5^3 + 5*zeta_5^2 + 2*zeta_5 + 7)*x^15 + 1/25*(-2*zeta_5^3 8*zeta_5^2 - 3*zeta_5 - 7)*x^14 + 1/25*(-4*zeta_5^3 - 11*zeta_5^2 + 4*zeta_5 + 1)*x^13 + 1/25*(-5*zeta_5^3 + 2*zeta_5^2 + zeta_5 - 3)*x^12 + 1/25*(zeta_5^3 - 2*zeta_5^2 - 4*zeta_5)*x^11 + 1/25*(-zeta_5^3 + 3*zeta_5 2)*x^10 + 1/5*x^9 + 1/25*(7*zeta_5^3 + 6*zeta_5^2 + 2*zeta_5 + 5)*x^8 + 1/25*(2*zeta_5^2 + zeta_5 - 3)*x^7 + 1/25*(-3*zeta_5^3 - 2*zeta_5^2 2*zeta_5 + 2)*x^6 + 1/25*(4*zeta_5^3 + 3*zeta_5 - 2)*x^5 + 1/25*(2*zeta_5^3 + 3*zeta_5^2 - 2*zeta_5 + 2)*x^4 + 1/25*(-zeta_5^3 + zeta_5^2 - 4*zeta_5 1)*x^3 + 1/25*(-2*zeta_5^2 - zeta_5 - 2)*x^2 + 1/25*(-zeta_5^3 - 3*zeta_5^2 - zeta_5)*x + 1/25*(zeta_5^3 + 2*zeta_5 + 2) rho-value 7 a = 5 b = -1 h = 1 x0 = 26384 C = Hyperelliptic Curve defined by y^2 = x^5 + 19 over GF(3149188484721621964796486022253819821139243385693502691124803449486277615940\ 8547665866206106457648797755314058533294191181549246559953907518405359190690741\ 8225000996027587846162771683448843957296712151953046893097979147086067379599646\ 879100194341) #Jac(C) = 991738811230326541919783262997413512347437837670926947929510933411367\ 1279844639358965569634204308223510745432047771237664827005930164333780311225382\ 1709398198579528788855942663473293646288136130646629490467450138253427991596319\ 4273888129071482019382417085399598206225390520796185481710671225431624125209763\ 7078082024179159111360116738167261919561111885256915153017321127578854244325381\ 3349297779038364733424454347588895927409232815025455098150214579773036847177667\ 277282977807292132420696955 236 bit subgroup rho = 6.941

152

A.3

Families of three-dimensional pairing-friendly abelian varieties Below we give data for two families of 3-dimensional abelian varieties with CM by

Q(ζ9 ) and ρ-values of 15. The output of Algorithms 4.4.9 and 2.2.4 are given in the same format as in Appendix A.2; see page 142 for details. By [70, Lemma 1], if q is prime to 6 an abelian variety over Fq with CM by K = Q(ζ9 ) is isomorphic over Fq to the Jacobian of the curve y 3 = x4 + x. By Proposition 1.2.5, given a q-Weil number π ∈ Z[ζ9 ], there is a curve C/Fq of the form y 3 = x4 + ax such that either π or −π is the Frobenius element of Jac(C). Since [(0, 0) − (∞)] is a point of order 3 in Jac(C), we can easily determine which case occurs in the examples below by checking the values mod 3 of n± = NK/Q (±π − 1). In the first example (k = 9) we find that n+ ≡ 0 (mod 3) and n− ≡ 1 (mod 3) so the Frobenius element is π; in the second example (k = 18) we find that n+ ≡ 1 (mod 3) and n− ≡ 0 (mod 3) so the Frobenius element is −π. We can then determine which twist of y 3 = x4 + x over Fq has # Jac(C) = n+ or n− , respectively. Embedding degree 9 CM field K = Cyclotomic Field of order 9 and degree 6 r(x) = x^6 + x^3 + 1 pi(x) = 1/81*(zeta_9^5 - 2*zeta_9^4 - 2*zeta_9^3 - zeta_9^2 - 4)*x^15 + 1/81*(-3*zeta_9^5 + zeta_9^4 - zeta_9 - 3)*x^14 + 1/81*(-6*zeta_9^5 + zeta_9^4 - 3*zeta_9^3 - 3*zeta_9^2 - zeta_9 - 3)*x^13 + 1/81*(2*zeta_9^5 9*zeta_9^4 - 10*zeta_9^3 - 5*zeta_9^2 - 5*zeta_9 - 14)*x^12 + 1/81*(-15*zeta_9^5 + 5*zeta_9^4 - 3*zeta_9^3 - 8*zeta_9 - 18)*x^11 + 1/81*(-12*zeta_9^5 + 2*zeta_9^4 - 15*zeta_9^3 - 12*zeta_9^2 - 5*zeta_9 33)*x^10 + 1/81*(-27*zeta_9^5 - 10*zeta_9^4 - 18*zeta_9^3 - 9*zeta_9^2 28*zeta_9 - 18)*x^9 + 1/9*(-2*zeta_9^5 + zeta_9^4 - 3*zeta_9^3 - 2*zeta_9^2 - 3*zeta_9 - 4)*x^8 + 1/9*(-3*zeta_9^5 - 2*zeta_9^3 - zeta_9^2 - 3*zeta_9 5)*x^7 + 1/81*(-28*zeta_9^5 - 7*zeta_9^4 - 16*zeta_9^3 - 8*zeta_9^2 27*zeta_9 - 41)*x^6 + 1/81*(-15*zeta_9^5 + 8*zeta_9^4 - 27*zeta_9^3 18*zeta_9^2 - 26*zeta_9 - 33)*x^5 + 1/81*(-21*zeta_9^5 - zeta_9^4 15*zeta_9^3 - 6*zeta_9^2 - 26*zeta_9 - 15)*x^4 + 1/81*(-2*zeta_9^5 8*zeta_9^3 - 4*zeta_9^2 + 5*zeta_9 - 31)*x^3 + 1/81*(-3*zeta_9^5 + 4*zeta_9^4 + 3*zeta_9^3 + 9*zeta_9^2 + 8*zeta_9 - 18)*x^2 + 1/81*(12*zeta_9^5 - 2*zeta_9^4 - 3*zeta_9^3 + 3*zeta_9^2 + 5*zeta_9 - 12)*x + 1/81*(zeta_9^4 + zeta_9) rho-value 15 a = 3 b = 1 h = 3 x0 = 6442469677 C = Curve over GF(5411965965472066839922072740950229859614601820299652310481643\ 9807593118362387287422209459616380287295291857749830563342780857846557125279485\ 6636522682009938032818864282346142490372157334576712493997877437770455684381125\

153

1867528028581567237369453938317223182287742184856237794911271878334597959) defined by y^3 = x^4 + 2*x #Jac(C) = 158513103958975947104509214404450115776805031373143139657494070947164\ 4358879260331704494530059508631290232158818206129010673908101762561163308150481\ 7172525293555463492928364243107034373734190057132097661435583189293405357922525\ 3235263819609592055046975906239644708284424762429565028860828751087185473279610\ 0189612424333037872865433261862163736673891757175530831510488277142622287411886\ 0706647174839579704562637732387810875232440579717811601079605382283308667547083\ 5268196048210380424215214668809059614249441622197966529618934373035303345972364\ 3823047293459684463121106151940943661238294037710831997877984549750101778835086\ 6896604781798435995472473426147594330723061875781699553369891609734570393208289\ 6325477272447429395256817627065894743050078631584466406240901585343308585108221\ 5677451953180977575951189570214478893460261850755439067251286745964724359125190\ 17131238207054459 195 bit subgroup rho = 14.99 *

*

*

*

*

*

*

*

*

*

*

*

*

Embedding degree 18 CM field K = Cyclotomic Field of order 9 and degree 6 r(x) = x^6 - x^3 + 1 pi(x) = 1/243*(4*zeta_9^5 + 3*zeta_9^4 + 6*zeta_9^3 + 2*zeta_9^2 + 6)*x^15 + 1/81*(3*zeta_9^5 + 2*zeta_9^4 + 6*zeta_9^3 + zeta_9^2 + 5)*x^14 + 1/81*(-7*zeta_9^5 - 7*zeta_9^4 - 6*zeta_9^2 + 8*zeta_9 - 2)*x^13 + 1/243*(-28*zeta_9^5 + 9*zeta_9^4 + 9*zeta_9^3 - 5*zeta_9^2 + 18*zeta_9 + 18)*x^12 + 1/81*(2*zeta_9^5 + 8*zeta_9^4 - 8*zeta_9^3 - 4*zeta_9^2 3*zeta_9 + 10)*x^11 + 1/81*(-35*zeta_9^4 - 3*zeta_9^3 - 19*zeta_9^2 + 4)*x^10 + 1/243*(31*zeta_9^5 + 57*zeta_9^4 + 36*zeta_9^3 - 61*zeta_9^2 24*zeta_9 + 33)*x^9 + 1/27*(-8*zeta_9^5 + 2*zeta_9^4 + 8*zeta_9^3 6*zeta_9^2 + 2*zeta_9 - 1)*x^8 + 1/27*(-2*zeta_9^5 + zeta_9^4 + zeta_9^3 + zeta_9^2 - 2*zeta_9 - 2)*x^7 + 1/243*(58*zeta_9^5 - 87*zeta_9^4 57*zeta_9^3 + 65*zeta_9^2 - 36*zeta_9 - 3)*x^6 + 1/81*(5*zeta_9^4 9*zeta_9^3 + 19*zeta_9^2 + 12*zeta_9 - 1)*x^5 + 1/81*(8*zeta_9^5 + 17*zeta_9^4 - 3*zeta_9^3 + 9*zeta_9^2 + 14*zeta_9 + 4)*x^4 + 1/243*(-zeta_9^5 + 45*zeta_9^4 + 18*zeta_9^3 + 13*zeta_9^2 + 27*zeta_9)*x^3 + 1/81*(5*zeta_9^5 - 4*zeta_9^4 - 2*zeta_9^3 + 5*zeta_9^2 - 6*zeta_9 2)*x^2 + 1/81*(3*zeta_9^5 - 5*zeta_9^4 + 2*zeta_9^2 - 6*zeta_9 - 2)*x + 1/243*(4*zeta_9^5 - 6*zeta_9^4 + 2*zeta_9^2 - 6*zeta_9 - 3) rho-value 15 a = 3 b = 2 h = 3 x0 = 6442452833 C = Curve over GF(1803847164672279252116736628206644909012632819172715343440478\ 9629680516833507569794304719400461682609945311117711529337496755342079312011191\ 2977954658950872974361582176623477727845287058476848968153037996271739108822323\ 9245365290526176873361887067690718512149103362129934078705813530008358589) defined by y^3 = x^4 + x #twist(Jac(C)) = 586947442120567664480765591768931793342691172633703092510624822614403\

154

4555375419497491021522353415537679029375939821709740077807013420358081221766454\ 5565837118635807461843497339419358028698719477930106962116699615548581233454430\ 8019176352884159529940059294509569768089871029776850328685028330027525807463309\ 0607979139134256769246810446819892950082064276820972030205407392134204652083503\ 0762887477010056762328378105958447816744551696846427591828967014643595736491439\ 3405063584790494103131782324037592633742418058644762691194812058694813687754798\ 1793843790746076965506682756687970380776892580816225284939775021714423299232272\ 4394079402155123816875166386391566968478341535361650547554823939889883514675239\ 2119398609941126791684475341124828129623899713981545557480652412493402740498993\ 4696842518970115441521217524589045074649666038811456235294471152238813765406935\ 140676645411723 195 bit subgroup rho = 14.97

155

Bibliography [1] L. Adleman, J. DeMarrais, and M.-D. Huang. “A subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large genus hyperelliptic curves over finite fields.” In Algorithmic Number Theory — ANTS-I, Springer LNCS 877 (1994), 28–40. [2] A. Agashe, K. Lauter, and R. Venkatesan. “Constructing elliptic curves with a known number of points over a prime field.” In High Primes and Misdemeanours: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams, Fields Institute Communincations 41. American Mathematical Society, Providence, RI (2004), 1–17. [3] A. Atkin and F. Morain. “Elliptic curves and primality proving.” Mathematics of Computation 61 (1993), 29–68. [4] D. Bailey and C. Paar. “Efficient arithmetic in finite field extensions with application in elliptic curve cryptography.” Journal of Cryptology 14 (2001), 153–176. [5] R. Balasubramanian and N. Koblitz.

“The improbability that an elliptic curve

has subexponential discrete log problem under the Menezes-Okamoto-Vanstone algorithm.” Journal of Cryptology 11 (1998), 141–145. [6] E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid. “Recommendation for key management — Part 1: General (revised).” National Institute of Standards and Technology (2006). Available at http://csrc.nist.gov/publications/nistpubs/ 800-57/SP800-57-Part1.pdf. ´ Eigeartaigh, ´ [7] P. Barreto, S. Galbraith, C. O’h and M. Scott. “Efficient pairing computation on supersingular abelian varieties.” Designs, Codes and Cryptography 42 (2007), 239–271.

156 [8] P. Barreto, B. Lynn, and M. Scott. “Constructing elliptic curves with prescribed embedding degrees.” In Security in Communication Networks — SCN 2002, Springer LNCS 2576 (2002), 263–273. [9] P. Barreto and M. Naehrig. “Pairing-friendly elliptic curves of prime order.” In Selected Areas in Cryptography — SAC 2005, Springer LNCS 3897 (2006), 319–331. [10] P. Bateman and R. Horn. “A heuristic asymptotic formula concerning the distribution of prime numbers.” Mathematics of Computation 16 (1962), 363–367. [11] D. Bernstein. “Elliptic vs. hyperelliptic, part 1.” Talk at ECC 2006, Toronto, Canada (20 September 2006). Available at http://cr.yp.to/talks/2006.09.20/slides. pdf. [12] D. Bernstein and J. Sorenson. “Modular exponentiation via the explicit Chinese remainder theorem.” Mathematics of Computation 76 (2007), 443–454. [13] I. Blake, G. Seroussi, and N. Smart. Elliptic Curves in Cryptography, London Mathematical Society Lecture Note Series 265. Cambridge University Press, Cambridge (2000). [14] D. Boneh and M. Franklin. “Identity-based encryption from the Weil pairing.” In Advances in Cryptology — CRYPTO 2001, Springer LNCS 2139 (2001), 213–229. Full version: SIAM Journal on Computing 32 (2003), 586–615. [15] D. Boneh, C. Gentry, and B. Waters. “Collusion resistant broadcast encryption with short ciphertexts and private keys.” In Advances in Cryptology — CRYPTO 2005, Springer LNCS 3621 (2005), 258–275. [16] D. Boneh, E.-J. Goh, and K. Nissim. “Evaluating 2-DNF formulas on ciphertexts.” In Theory of Cryptography — TCC 2005, Springer LNCS 3378 (2005), 325–341. [17] D. Boneh, B. Lynn, and H. Shacham. “Short signatures from the Weil pairing.” In Advances in Cryptology — ASIACRYPT 2001, Springer LNCS 2248 (2001), 514–532. Full version: Journal of Cryptology 17 (2004), 297–319. [18] W. Bosma, J. Cannon, and C. Playoust. “The Magma algebra system. I. The user language.” Journal of Symbolic Computation 24 (1997), 235–265. See also [82].

157 [19] F. Brezing and A. Weng. “Elliptic curves suitable for pairing based cryptography.” Designs, Codes and Cryptography 37 (2005), 133–141. [20] R. Br¨oker. “A p-adic algorithm to compute the Hilbert class polynomial.” To appear in Mathematics of Computation. Available at http://research.microsoft.com/ ∼reinierb/padicj.pdf.

[21] R. Br¨oker. Constructing elliptic curves of prescribed order. Ph.D. dissertation, Universiteit Leiden (2006). Available at http://math.leidenuniv.nl/∼reinier/thesis. pdf. [22] G. Cardona and J. Quer. “Field of moduli and field of definition for curves of genus 2.” In Computational Aspects of Algebraic Curves, Lecture Notes Ser. Comput. 13. World Scientific, Hackensack, NJ (2005), 71–83. [23] J. Chao, O. Nakamura, K. Sobataka, and S. Tsujii. “Construction of secure elliptic cryptosystems using CM tests and liftings.” In Advances in Cryptology — ASIACRYPT 1998, Springer LNCS 1514 (1998), 95–109. [24] L. Chen, Z. Cheng, and N. Smart. “Identity-based key agreement protocols from pairings.” International Journal of Information Security 6 (2007), 213–241. [25] C. Cocks and R. Pinch. “Identity-based cryptosystems based on the Weil pairing.” Unpublished manuscript (2001). While this manuscript is generally unavailable, the main result appears as Theorem 2.3.1 above. [26] H. Cohen. A Course in Computational Algebraic Number Theory, Graduate Texts in Mathematics 138. Springer-Verlag, Berlin (1993). [27] H. Cohn and K. Lauter. “Generating genus 2 curves with complex multiplication.” Technical report, Microsoft Research (2001). [28] J.-M. Couveignes. “Linearizing torsion classes in the Picard group of algebraic curves over finite fields.” Preprint (2007). Available at http://arxiv.org/abs/0706.0272. [29] J.-M. Couveignes and T. Henocq. “Action of modular correspondences around CM points.” In Algorithmic Number Theory — ANTS-V, Springer LNCS 2369 (2002), 234–243.

158 [30] “Digital signature standard (DSS).” Federal Information Processing Standards Publication 186-3 (Draft) (2006). Available at http://csrc.nist.gov/publications/ drafts/fips 186-3/Draft-FIPS-186-3%20 March2006.pdf. [31] P. Duan, S. Cui, and C.-W. Chan. “Effective polynomial families for generating more pairing-friendly elliptic curves.” Cryptology ePrint Archive, Report 2005/236 (2005). Available at http://eprint.iacr.org/2005/236. [32] R. Dupont, A. Enge, and F. Morain. “Building curves with arbitrary small MOV degree over finite prime fields.” Journal of Cryptology 18 (2005), 79–89. [33] S. Duquesne and G. Frey. “Background on pairings.” In Handbook of Elliptic and Hyperelliptic Curve Cryptography. Chapman & Hall/CRC, Boca Raton, FL (2006), 115–124. [34] K. Eisentr¨ager and K. Lauter. “A CRT algorithm for constructing genus 2 curves over finite fields.” To appear in Algebraic Geometry and Coding Theory 2007. Available at http://arxiv.org/abs/math.NT/0405305. [35] A. Enge. “The complexity of class polynomial computation via floating point approximations.”

To appear in Mathematics of Computation.

Available at http:

//fr.arxiv.org/abs/cs.CC/0601104. [36] D. Freeman. “Constructing families of pairing-friendly elliptic curves.” Technical Report HPL-2005-155, Hewlett-Packard Labs (2005). Available at http://www.hpl. hp.com/techreports/2005/HPL-2005-155.html. [37] D. Freeman. “Constructing pairing-friendly elliptic curves with embedding degree 10.” In Algorithmic Number Theory — ANTS-VII, Springer LNCS 4076 (2006), 452–465. [38] D. Freeman. “Constructing pairing-friendly genus 2 curves with ordinary Jacobians.” In Pairing-Based Cryptography — Pairing 2007, Springer LNCS 4575 (2007), 152– 176. [39] D. Freeman. “A generalized Brezing-Weng algorithm for constructing pairing-friendly ordinary abelian varieties.” Cryptology ePrint Archive, Report 2008/155 (2008). Available at http://eprint.iacr.org/2008/155.

159 [40] D. Freeman and K. Lauter. “Computing endomorphism rings of Jacobians of genus 2 curves over finite fields.” In Algebraic Geometry and its Applications, ed. J. Chaumine, J. Hirschfeld, and R. Rolland, Number Theory and Its Applications 5. World Scientific (2008), 29–66. [41] D. Freeman, M. Scott, and E. Teske. “A taxonomy of pairing-friendly elliptic curves.” Cryptology ePrint Archive, Report 2006/372 (2006). Available at http://eprint. iacr.org/2006/372. [42] D. Freeman, P. Stevenhagen, and M. Streng. “Abelian varieties with prescribed embedding degree.” In Algorithmic Number Theory — ANTS-VIII, Springer LNCS 5011 (2008), 60–73. [43] G. Frey and H.-G. R¨ uck. “A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves.” Mathematics of Computation 62 (1994), 865–874. [44] S. Galbraith. “Supersingular curves in cryptography.” In Advances in Cryptology — ASIACRYPT 2001, Springer LNCS 2248 (2001), 495–513. [45] S. Galbraith. “Pairings.” In Advances in Elliptic Curve Cryptography, London Math. Soc. Lecture Note Ser. 317. Cambridge University Press, Cambridge (2005), 183–213. [46] S. Galbraith, J. McKee, and P. Valen¸ca. “Ordinary abelian varieties having small embedding degree.” Finite Fields and their Applications 13 (2007), 800–814. [47] S. Galbraith, K. Paterson, and N. Smart. “Pairings for cryptographers.” Cryptology ePrint Archive, Report 2006/165 (2006). Available at http://eprint.iacr.org/ 2006/165. [48] P. Gaudry. “Index calculus for abelian varieties and the elliptic curve discrete logarithm problem.” To appear in Journal of Symbolic Computation. Available at http://eprint.iacr.org/2004/073. [49] P. Gaudry. “An algorithm for solving the discrete log problem on hyperelliptic curves.” In Advances in Cryptology — EUROCRYPT 2000, Springer LNCS 1807 (2000), 19– 34.

160 [50] P. Gaudry and R. Harley. “Counting points on hyperelliptic curves over finite fields.” In Algorithmic Number Theory — ANTS-IV, Springer LNCS 1838 (2000), 313–332. [51] P. Gaudry, T. Houtmann, D. Kohel, C. Ritzenthaler, and A. Weng. “The 2-adic CM method for genus 2 curves with application to cryptography.” In Advances in Cryptology — ASIACRYPT 2006, Springer LNCS 4284 (2006), 114–129. Preprint version available at http://arxiv.org/abs/math/0503148. ´ Schost. “Construction of secure random curves of genus 2 over [52] P. Gaudry and E. prime fields.” In Advances in Cryptology — EUROCRYPT 2004, Springer LNCS 3027 (2004), 239–256. [53] P. Gaudry, E. Thom´e, N. Th´eriault, and C. Diem. “A double large prime variation for small genus hyperelliptic index calculus.” Mathematics of Computation 76 (2007), 475–492. [54] E. Goren and K. Lauter. “Class invariants for quartic CM fields.” Annales de l’Institut Fourier 57 (2007), 457–480. [55] R. Hartshorne. Algebraic Geometry, Graduate Texts in Mathematics 52. SpringerVerlag, New York (1977). [56] F. Hess, N. Smart, and F. Vercauteren. “The eta pairing revisited.” IEEE Transactions on Information Theory 52 (2006), 4595–4602. [57] L. Hitt. “Families of genus 2 curves with small embedding degree.” Cryptology ePrint Archive, Report 2007/001 (2007). Available at http://eprint.iacr.org/2007/001. [58] L. Hitt. “On the minimal embedding field.” In Pairing-Based Cryptography — Pairing 2007, Springer LNCS 4575 (2007), 294–301. [59] E. Howe. “Principally polarized ordinary abelian varieties over finite fields.” Transactions of the American Mathematical Society 347 (1995), 2361–2401. [60] A. Joux. “A one round protocol for tripartite Diffie-Hellman.” In Algorithmic Number Theory — ANTS-IV, Springer LNCS 1838 (2000), 385–393. Full version: Journal of Cryptology 17 (2004), 263–276.

161 [61] E. Kachisa. Constructing Brezing-Weng pairing friendly elliptic curves using elements in the cyclotomic field. Master’s thesis, Mzuzu University (2007). Some results appear in [62]. [62] E. Kachisa, E. Schaefer, and M. Scott. “Constructing Brezing-Weng pairing friendly elliptic curves using elements in the cyclotomic field.” Cryptology ePrint Archive, Report 2007/452 (2007). Available at http://eprint.iacr.org/2007/452. [63] K. Karabina. On prime-order elliptic curves with embedding degrees 3, 4 and 6. Master’s thesis, University of Waterloo (2006). [64] M. Kawazoe and T. Takahashi. “Pairing-friendly hyperelliptic curves of type y 2 = x5 + ax.” Cryptology ePrint Archive, Report 2008/026 (2008). Available at http: //eprint.iacr.org/2008/026. [65] N. Koblitz. “Elliptic curve cryptosystems.” Mathematics of Computation 48 (1987), 203–209. [66] N. Koblitz. “Hyperelliptic cryptosystems.” Journal of Cryptology 1 (1989), 139–150. [67] N. Koblitz. “Good and bad uses of elliptic curves in cryptography.” Moscow Mathematical Journal 2 (2002), 693–715, 805–806. [68] N. Koblitz and A. Menezes. “Pairing-based cryptography at high security levels.” In Cryptography and Coding, Springer LNCS 3796 (2005), 13–36. [69] D. Kohel. “Quartic CM fields database.” Available at http://echidna.maths.usyd. edu.au/kohel/dbs/complex multiplication2.html. [70] K. Koike and A. Weng. “Construction of CM Picard curves.” Mathematics of Computation 74 (2005), 499–518. [71] S. Lang. Elliptic Functions, Graduate Texts in Mathematics 112. Second edition. Springer-Verlag, New York (1987). [72] S. Lang.

Algebra, Graduate Texts in Mathematics 211.

Springer-Verlag, New York (2002).

Revised third edition.

162 [73] K. Lauter. “The maximum or minimum number of rational points on genus three curves over finite fields.” Compositio Mathematica 134 (2002), 87–111. With an appendix by Jean-Pierre Serre. [74] A. K. Lenstra. “Unbelievable security (Matching AES security using public key systems).” In Advances in Cryptology — ASIACRYPT 2001, Springer LNCS 2248 (2001), 67–86. [75] H. W. Lenstra, Jr. “Solving the Pell equation.” Notices of the American Mathematical Society 49 (2002), 182–192. [76] H. W. Lenstra, Jr., J. Pila, and C. Pomerance. “A hyperelliptic smoothness test. II.” Proceedings of the London Mathematical Society (3) 84 (2002), 105–146. [77] R. Lidl and H. Niederreiter. Finite Fields, Encyclopedia of Mathematics and its Applications 20. Second edition. Cambridge University Press, Cambridge (1997). [78] J. Lubin, J.-P. Serre, and J. Tate. “Elliptic curves and formal groups.” Lecture notes from Summer Institute on Algebraic Geometry, Woods Hole, Massachusetts, July 1964. Available at http://www.ma.utexas.edu/users/voloch/lst.html. [79] F. Luca, D. Mireles, and I. Shparlinski. “MOV attack in various subgroups on elliptic curves.” Illinois Journal of Mathematics 48 (2004), 1041–1052. [80] F. Luca and I. Shparlinski. “Elliptic curves with low embedding degree.” Journal of Cryptology 19 (2006), 553–562. [81] F. Luca and I. Shparlinski. “On finite fields for pairing based cryptography.” Advances in Mathematics of Communications 1 (2007), 281–286. [82] “MAGMA Computational Algebra System.” Computational Algebra Group, School of Mathematics and Statistics, University of Sydney. Available at http://magma. maths.usyd.edu.au. [83] K. Matthews. “The Diophantine equation x2 − Dy 2 = N, D > 0.” Expositiones Mathematicae 18 (2000), 323–331. [84] A. Menezes. Elliptic Curve Public Key Cryptosystems, Kluwer International Series in Engineering and Computer Science 234. Kluwer Academic, Boston (1993).

163 [85] A. Menezes. “Introduction to pairing-based cryptography.” Notes from lectures given in Santander, Spain (2005). Available at http://www.cacr.math.uwaterloo.ca/ ∼ajmeneze/publications/pairings.pdf.

[86] A. Menezes, T. Okamoto, and S. Vanstone. “Reducing elliptic curve logarithms to logarithms in a finite field.” IEEE Transactions on Information Theory 39 (1993), 1639–1646. [87] A. Menezes and S. Vanstone. “Isomorphism classes of elliptic curves over finite fields of characteristic 2.” Utilitas Mathematica 38 (1990), 135–153. [88] J.-F. Mestre. “Construction de courbes de genre 2 `a partir de leurs modules.” In Effective Methods in Algebraic Geometry, Progress in Mathematics 94. Birkh¨ auser, Boston, MA (1991), 313–334. [89] V. Miller. “Use of elliptic curves in cryptography.” In Advances in Cryptology — CRYPTO 1985, Springer LNCS 218 (1986), 417–426. [90] J. S. Milne. “Abelian varieties.” In Arithmetic Geometry, ed. G. Gornell and J. Silverman. Springer, New York (1986), 103–150. [91] J. S. Milne. “Jacobian varieties.” In Arithmetic Geometry, ed. G. Gornell and J. Silverman. Springer, New York (1986), 167–212. [92] J. S. Milne. “Abelian varieties.” Version 2.00 (2008). Available at www.jmilne.org/ math. [93] A. Miyaji, M. Nakabayashi, and S. Takano.

“Characterization of elliptic curve

traces under FR-reduction.” In Information Security and Cryptology — ICISC 2000, Springer LNCS 2015 (2001), 90–108. [94] R. Mollin. Fundamental Number Theory with Applications. CRC Press, Boca Raton, FL (1998). [95] F. Morain. “Classes d’isomorphismes des courbes elliptiques supersinguli`eres en caract´eristique ≥ 3.” Utilitas Mathematica 52 (1997), 241–253.

164 [96] A. Murphy and N. Fitzpatrick. “Elliptic curves for pairing applications.” Cryptology ePrint Archive, Report 2005/302 (2005). Available at http://eprint.iacr.org/ 2005/302. [97] M. Naehrig, P. Barreto, and P. Schwabe.

“On compressible pairings and their

computation.” Cryptology ePrint Archive, Report 2007/429 (2007). Available at http://eprint.iacr.org/2007/429. [98] J. Neukirch.

Algebraic Number Theory, Grundlehren der Mathematischen Wis-

senschaften [Fundamental Principles of Mathematical Sciences] 322. Springer-Verlag, Berlin (1999). Translated from the German by N. Schappacher. [99] A. Odlyzko. “Discrete logarithms in finite fields and their cryptographic significance.” In Advances in Cryptology — EUROCRYPT 1984, Springer LNCS 209 (1985), 224– 314. [100] F. Oort and K. Ueno. “Principally polarized abelian varieties of dimension two or three are Jacobian varieties.” Journal of the Faculty of Science, University of Tokyo, Section IA: Mathematics 20 (1973), 377–381. [101] D. Page, N. Smart, and F. Vercauteren. “A comparison of MNT curves and supersingular curves.” Applicable Algebra in Engineering, Communication and Computing 17 (2006), 379–392. [102] PARI/GP, version 2.3.0.

Bordeaux (2006).

Available at http://pari.math.

u-bordeaux.fr. [103] S. Pohlig and M. Hellman. “An improved algorithm for computing logarithms over GF (p) and its cryptographic significance.” IEEE Transactions on Information Theory IT-24 (1978), 106–110. [104] J. M. Pollard. “Monte Carlo methods for index computation (mod p).” Mathematics of Computation 32 (1978), 918–924. [105] J. Robertson. “Solving the generalized Pell equation.” Unpublished manuscript (2004). Available at http://hometown.aol.com/jpr2718/pell.pdf. [106] S. Ross. A First Course in Probability. Fifth edition. Prentice-Hall, Upper Saddle River, NJ (1998).

165 [107] K. Rubin and A. Silverberg. “Finding composite order ordinary elliptic curves using the Cocks-Pinch method.” In preparation. [108] K. Rubin and A. Silverberg. “Supersingular abelian varieties in cryptology.” In Advances in Cryptology — CRYPTO 2002, Springer LNCS 2442 (2002), 336–353. [109] R. Sakai, K. Ohgishi, and M. Kasahara. “Cryptosystems based on pairings.” Symposium on Cryptography and Information Security — SCIS 2000, Okinawa, Japan (2000). [110] E. Schaefer. “A new proof for the non-degeneracy of the Frey-R¨ uck pairing and a connection to isogenies over the base field.” In Computational Aspects of Algebraic Curves, Lecture Notes Ser. Comput. 13. World Scientific, Hackensack, NJ (2005), 1–12. [111] M. Scott. Personal communication (7 November 2005). [112] M. Scott and P. Barreto. “Compressed pairings.” In Advances in Cryptology — CRYPTO 2004, Springer LNCS 3152 (2004), 140–156. [113] M. Scott and P. Barreto. “Generating more MNT elliptic curves.” Designs, Codes and Cryptography 38 (2006), 209–217. [114] A. Shamir. “Identity-based cryptosystems and signature schemes.” In Advances in Cryptology — CRYPTO 1984, Springer LNCS 196 (1985), 47–53. [115] G. Shimura. Abelian Varieties with Complex Multiplication and Modular Functions, Princeton Mathematical Series 46. Princeton University Press, Princeton, NJ (1998). [116] V. Shoup. “NTL: a library for doing number theory.” Available at http://www. shoup.net/ntl/. [117] J. Silverman. The Arithmetic of Elliptic Curves, Graduate Texts in Mathematics 106. Springer-Verlag, New York (1986). [118] J. Silverman. Advanced Topics in the Arithmetic of Elliptic Curves, Graduate Texts in Mathematics 151. Springer-Verlag, New York (1994).

166 [119] A.-M. Spallek.

Kurven vom Geschlecht 2 und ihre Anwendung in Public-Key-

Kryptosystemen. Ph.D. dissertation, Institut f¨ ur Experimentelle Mathematik, Universit¨at GH Essen (1994). [120] B. Spearman and K. Williams. “Relative integral bases for quartic fields over quadratic subfields.” Acta Mathematica Hungarica 70 (1996), 185–192. [121] T. Takagi, T. Okamoto, E. Okamoto, and T. Okamoto, eds. Pairing-Based Cryptography — Pairing 2007, Springer LNCS 4575 (2007). [122] J. Tate. “Classes d’isog´enie des vari´et´es ab´eliennes sur un corps fini (d’apr`es T. Honda).” In S´eminaire Bourbaki 1968/69, Springer Lect. Notes in Math. 179 (1971), 95–110. [123] P. van Oorschot and M. Wiener. “Parallel collision search with cryptanalytic applications.” Journal of Cryptology 12 (1999), 1–28. [124] P. van Wamelen. “Examples of genus two CM curves defined over the rationals.” Mathematics of Computation 68 (1999), 307–320. [125] E. Verheul. “Evidence that XTR is more secure than supersingular elliptic curve cryptosystems.” Journal of Cryptology 17 (2004), 277–296. [126] Voltage Security Inc. http://voltage.com. [127] J. von zur Gathen and J. Gerhard. Modern Computer Algebra. Second edition. Cambridge University Press, Cambridge (2003). [128] W. C. Waterhouse. “Abelian varieties over finite fields.” Annales Scientifiques de ´ l’Ecole Normale Sup´erieure. Quatri`eme S´erie 2 (1969), 521–560. [129] W. C. Waterhouse and J. S. Milne. “Abelian varieties over finite fields.” In 1969 Number Theory Institute (Proc. Sympos. Pure Math., Vol. XX, State Univ. New York, Stony Brook, N.Y., 1969). American Mathematical Society, Providence, RI (1971), 53–64. [130] A. Weng. “A class of hyperelliptic CM-curves of genus three.” Journal of the Ramanujan Mathematical Society 16 (2001), 339–372.

167 [131] A. Weng. “Constructing hyperelliptic curves of genus 2 suitable for cryptography.” Mathematics of Computation 72 (2003), 435–458. [132] A. Weng. “Extensions and improvements for the CM method for genus two.” In High Primes and Misdemeanours: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams, Fields Institute Communications 41. American Mathematical Society, Providence, RI (2004), 379–389.